dream: HTML escaping (dream-escape) + fix XSS hole in todo demo + 11 tests
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 1m9s
Some checks failed
Test, Build, and Deploy / test-build-deploy (push) Failing after 1m9s
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
24
lib/dream/html.sx
Normal file
24
lib/dream/html.sx
Normal file
@@ -0,0 +1,24 @@
|
||||
;; lib/dream/html.sx — Dream-on-SX HTML escaping for safe templating.
|
||||
;; Interpolating user input into HTML without escaping is an XSS hole; dream-escape
|
||||
;; neutralises it. Depends on nothing (pure string ops).
|
||||
|
||||
;; escape text for HTML element content / double-quoted attributes
|
||||
(define
|
||||
dream-escape
|
||||
(fn
|
||||
(s)
|
||||
(replace
|
||||
(replace
|
||||
(replace (replace (replace s "&" "&") "<" "<") ">" ">")
|
||||
"\""
|
||||
""")
|
||||
"'"
|
||||
"'")))
|
||||
|
||||
;; build a single attribute: name="escaped-value"
|
||||
(define dream-attr (fn (name val) (str name "=\"" (dream-escape val) "\"")))
|
||||
|
||||
;; join escaped text with a separator, escaping each piece
|
||||
(define
|
||||
dream-escape-join
|
||||
(fn (sep pieces) (join sep (map dream-escape pieces))))
|
||||
Reference in New Issue
Block a user