pub fn for_javascript_block(input: &str) -> StringExpand description
encodes input for safe embedding in a javascript string literal inside
an HTML <script> block.
uses backslash escapes for quotes (\", \') which are more readable
but not safe in HTML attribute contexts. still encodes & (for XHTML
compatibility) and / (to prevent </script> injection).
§examples
use contextual_encoder::for_javascript_block;
assert_eq!(for_javascript_block(r#"he said "hi""#), r#"he said \"hi\""#);
assert_eq!(for_javascript_block("</script>"), r"<\/script>");Examples found in repository?
examples/contexts.rs (line 61)
15fn main() {
16 let input = r#"<script>alert("xss")</script>"#;
17
18 println!("input: {input}");
19 println!();
20
21 // -----------------------------------------------------------------------
22 // comparison: same input across all encoders
23 // -----------------------------------------------------------------------
24
25 // html text content AND quoted attributes (safe default when unsure)
26 println!("--- html ---");
27 println!(" for_html: {}", for_html(input));
28
29 // html text nodes only — does NOT encode quotes, so never use in attributes
30 println!(
31 " for_html_content: {}",
32 for_html_content(input)
33 );
34
35 // quoted attribute values only — does NOT encode >, slightly more minimal
36 println!(
37 " for_html_attribute: {}",
38 for_html_attribute(input)
39 );
40
41 // unquoted attribute values — most aggressive, encodes whitespace/grave/etc.
42 println!(
43 " for_html_unquoted_attribute: {}",
44 for_html_unquoted_attribute(input)
45 );
46 println!();
47
48 // universal js encoder — safe in event attrs, <script> blocks, and .js files
49 println!("--- javascript ---");
50 println!(" for_javascript: {}", for_javascript(input));
51
52 // html event attributes (onclick="...") — does not escape /
53 println!(
54 " for_javascript_attribute: {}",
55 for_javascript_attribute(input)
56 );
57
58 // <script> blocks — uses \" and \' (not safe in html attributes)
59 println!(
60 " for_javascript_block: {}",
61 for_javascript_block(input)
62 );
63
64 // standalone .js / json files — minimal, NOT safe in any html context
65 println!(
66 " for_javascript_source: {}",
67 for_javascript_source(input)
68 );
69 println!();
70
71 // quoted css string values, e.g., content: "..." or font-family: "..."
72 println!("--- css ---");
73 println!(" for_css_string: {}", for_css_string(input));
74
75 // css url() values — like for_css_string but parens pass through
76 println!(" for_css_url: {}", for_css_url(input));
77 println!();
78
79 // uri component (query params, path segments) — NOT for full urls
80 println!("--- uri ---");
81 println!(
82 " for_uri_component: {}",
83 for_uri_component(input)
84 );
85 println!();
86
87 // -----------------------------------------------------------------------
88 // practical: one realistic input per sink, correct encoder for each
89 // -----------------------------------------------------------------------
90
91 let user_name = r#"Bob <img src=x onerror="alert(1)">"#;
92 let user_query = "hello world & goodbye";
93 let user_text = r#"hi from </script><script>alert(1)</script>"#;
94 let user_css_text = r#"hello "css" \ test"#;
95
96 println!("--- practical usage ---");
97
98 // html text node — for_html_content is the right encoder
99 println!(r#" <p>{}</p>"#, for_html_content(user_name));
100
101 // nested context: uri component inside an html attribute.
102 // encode from inside out: first percent-encode the query value,
103 // then html-attribute-encode the entire href.
104 let href = format!("/search?q={}", for_uri_component(user_query));
105 println!(r#" <a href="{}">search</a>"#, for_html_attribute(&href),);
106
107 // actual css string context: a quoted content value in a stylesheet
108 println!(
109 r#" <style>.msg::after {{ content: "{}"; }}</style>"#,
110 for_css_string(user_css_text),
111 );
112
113 // javascript string inside an event-handler attribute
114 println!(
115 r#" <button onclick="greet('{}');">hi</button>"#,
116 for_javascript_attribute(user_text),
117 );
118}