Git Product home page Git Product logo

safehtml's Introduction

Safe HTML for Go

safehtml provides immutable string-like types that wrap web types such as HTML, JavaScript and CSS. These wrappers are safe by construction against XSS and similar web vulnerabilities, and they can only be interpolated in safe ways. You can read more about our approach to web security in our whitepaper, or this OWASP talk.

Additional subpackages provide APIs for managing exceptions to the safety rules, and a template engine with a syntax and interface that closely matches html/template. You can refer to the godoc for each (sub)package for the API documentation and code examples. More end-to-end demos are available in example_test.go.

This is not an officially supported Google product.

safehtml's People

Contributors

nfelt avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

safehtml's Issues

add support for html meta tag

<meta name="Description" content="{{.Description}}">

When dynamically setting the content attribute of a meta tag I get the following error.

Critical: frontend.NewServer: NewServer(...): s.renderErrorPage(http.StatusInternalServerError, nil): html/template:base.tmpl:13:36: cannot escape action {{.Description}}: actions must not occur in the "content" attribute value context of a "meta" element

This tag is useful for setting the description of a page in search results or link summary text for applications like slack and I think should be considered safe.

golang/go#40752

tag with a version

It would be nice if this module had a real semantic version. That can be done by adding a tag of the form vX.Y.Z. If you think the API might change backwards-incompatibly, set X=0, else set X=1. I recommend 0 because even though this package has stabilized inside Google, you may find that external users have different requirements.

safe identifier characters should include all Unicode alphanumerics

The documentation for safe identifiers says "alphanumeric" characters are allowed, but the implementation supports only ASCII letters and numbers. Unless there are security issues with Unicode characters, they should be supported.

Motivation: documentation sites that want to use language identifiers as (part of) fragments for easy navigation, e.g. https://pkg.go.dev.

The change I'm suggesting would be from

var onlyAlphanumericsOrHyphenPattern = regexp.MustCompile(`^[-_a-zA-Z0-9]*$`)

(https://github.com/google/safehtml/blob/v0.0.2/identifier.go#L49)
to

var onlyAlphanumericsOrHyphenPattern = regexp.MustCompile(`^[-_\pL\pN]*$`)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.