Skip to main content

for_css_url

contextual_encoder::css

Function for_css_url 

Source 
pub fn for_css_url(input: &str) -> String
Expand description

encodes input for safe embedding in a CSS url() value.

identical to for_css_string except parentheses ( and ) are not encoded (they are part of the url() syntax, not the value).

the URL must be validated before encoding (e.g., ensure the scheme is allowed). encoding only prevents syntax breakout, not malicious URLs.

§examples

use contextual_encoder::for_css_url;

assert_eq!(for_css_url("image.png"), "image.png");
// b is a hex digit, so trailing space after \27
assert_eq!(for_css_url("a'b"), r"a\27 b");
assert_eq!(for_css_url("a(b)"), "a(b)");
Examples found in repository?
examples/contexts.rs (line 76)
15fn main() {
16    let input = r#"<script>alert("xss")</script>"#;
17
18    println!("input: {input}");
19    println!();
20
21    // -----------------------------------------------------------------------
22    // comparison: same input across all encoders
23    // -----------------------------------------------------------------------
24
25    // html text content AND quoted attributes (safe default when unsure)
26    println!("--- html ---");
27    println!("  for_html:                     {}", for_html(input));
28
29    // html text nodes only — does NOT encode quotes, so never use in attributes
30    println!(
31        "  for_html_content:             {}",
32        for_html_content(input)
33    );
34
35    // quoted attribute values only — does NOT encode >, slightly more minimal
36    println!(
37        "  for_html_attribute:           {}",
38        for_html_attribute(input)
39    );
40
41    // unquoted attribute values — most aggressive, encodes whitespace/grave/etc.
42    println!(
43        "  for_html_unquoted_attribute:  {}",
44        for_html_unquoted_attribute(input)
45    );
46    println!();
47
48    // universal js encoder — safe in event attrs, <script> blocks, and .js files
49    println!("--- javascript ---");
50    println!("  for_javascript:               {}", for_javascript(input));
51
52    // html event attributes (onclick="...") — does not escape /
53    println!(
54        "  for_javascript_attribute:     {}",
55        for_javascript_attribute(input)
56    );
57
58    // <script> blocks — uses \" and \' (not safe in html attributes)
59    println!(
60        "  for_javascript_block:         {}",
61        for_javascript_block(input)
62    );
63
64    // standalone .js / json files — minimal, NOT safe in any html context
65    println!(
66        "  for_javascript_source:        {}",
67        for_javascript_source(input)
68    );
69    println!();
70
71    // quoted css string values, e.g., content: "..." or font-family: "..."
72    println!("--- css ---");
73    println!("  for_css_string:               {}", for_css_string(input));
74
75    // css url() values — like for_css_string but parens pass through
76    println!("  for_css_url:                  {}", for_css_url(input));
77    println!();
78
79    // uri component (query params, path segments) — NOT for full urls
80    println!("--- uri ---");
81    println!(
82        "  for_uri_component:            {}",
83        for_uri_component(input)
84    );
85    println!();
86
87    // -----------------------------------------------------------------------
88    // practical: one realistic input per sink, correct encoder for each
89    // -----------------------------------------------------------------------
90
91    let user_name = r#"Bob <img src=x onerror="alert(1)">"#;
92    let user_query = "hello world & goodbye";
93    let user_text = r#"hi from </script><script>alert(1)</script>"#;
94    let user_css_text = r#"hello "css" \ test"#;
95
96    println!("--- practical usage ---");
97
98    // html text node — for_html_content is the right encoder
99    println!(r#"  <p>{}</p>"#, for_html_content(user_name));
100
101    // nested context: uri component inside an html attribute.
102    // encode from inside out: first percent-encode the query value,
103    // then html-attribute-encode the entire href.
104    let href = format!("/search?q={}", for_uri_component(user_query));
105    println!(r#"  <a href="{}">search</a>"#, for_html_attribute(&href),);
106
107    // actual css string context: a quoted content value in a stylesheet
108    println!(
109        r#"  <style>.msg::after {{ content: "{}"; }}</style>"#,
110        for_css_string(user_css_text),
111    );
112
113    // javascript string inside an event-handler attribute
114    println!(
115        r#"  <button onclick="greet('{}');">hi</button>"#,
116        for_javascript_attribute(user_text),
117    );
118}