Skip to main content

for_html_content

contextual_encoder::html

Function for_html_content 

Source 
pub fn for_html_content(input: &str) -> String
Expand description

encodes input for safe embedding in HTML text content.

this encoder does not encode quote characters and is therefore not safe for attribute values. use for_html or for_html_attribute for attribute contexts.

§encoded characters

inputoutput
&&
<&lt;
>&gt;

invalid XML characters are replaced with a space.

§examples

use contextual_encoder::for_html_content;

assert_eq!(for_html_content("1 < 2 & 3 > 0"), "1 &lt; 2 &amp; 3 &gt; 0");
// quotes are NOT encoded — do not use in attributes
assert_eq!(for_html_content(r#"she said "hi""#), r#"she said "hi""#);
Examples found in repository?
examples/contexts.rs (line 32)
15fn main() {
16    let input = r#"<script>alert("xss")</script>"#;
17
18    println!("input: {input}");
19    println!();
20
21    // -----------------------------------------------------------------------
22    // comparison: same input across all encoders
23    // -----------------------------------------------------------------------
24
25    // html text content AND quoted attributes (safe default when unsure)
26    println!("--- html ---");
27    println!("  for_html:                     {}", for_html(input));
28
29    // html text nodes only — does NOT encode quotes, so never use in attributes
30    println!(
31        "  for_html_content:             {}",
32        for_html_content(input)
33    );
34
35    // quoted attribute values only — does NOT encode >, slightly more minimal
36    println!(
37        "  for_html_attribute:           {}",
38        for_html_attribute(input)
39    );
40
41    // unquoted attribute values — most aggressive, encodes whitespace/grave/etc.
42    println!(
43        "  for_html_unquoted_attribute:  {}",
44        for_html_unquoted_attribute(input)
45    );
46    println!();
47
48    // universal js encoder — safe in event attrs, <script> blocks, and .js files
49    println!("--- javascript ---");
50    println!("  for_javascript:               {}", for_javascript(input));
51
52    // html event attributes (onclick="...") — does not escape /
53    println!(
54        "  for_javascript_attribute:     {}",
55        for_javascript_attribute(input)
56    );
57
58    // <script> blocks — uses \" and \' (not safe in html attributes)
59    println!(
60        "  for_javascript_block:         {}",
61        for_javascript_block(input)
62    );
63
64    // standalone .js / json files — minimal, NOT safe in any html context
65    println!(
66        "  for_javascript_source:        {}",
67        for_javascript_source(input)
68    );
69    println!();
70
71    // quoted css string values, e.g., content: "..." or font-family: "..."
72    println!("--- css ---");
73    println!("  for_css_string:               {}", for_css_string(input));
74
75    // css url() values — like for_css_string but parens pass through
76    println!("  for_css_url:                  {}", for_css_url(input));
77    println!();
78
79    // uri component (query params, path segments) — NOT for full urls
80    println!("--- uri ---");
81    println!(
82        "  for_uri_component:            {}",
83        for_uri_component(input)
84    );
85    println!();
86
87    // -----------------------------------------------------------------------
88    // practical: one realistic input per sink, correct encoder for each
89    // -----------------------------------------------------------------------
90
91    let user_name = r#"Bob <img src=x onerror="alert(1)">"#;
92    let user_query = "hello world & goodbye";
93    let user_text = r#"hi from </script><script>alert(1)</script>"#;
94    let user_css_text = r#"hello "css" \ test"#;
95
96    println!("--- practical usage ---");
97
98    // html text node — for_html_content is the right encoder
99    println!(r#"  <p>{}</p>"#, for_html_content(user_name));
100
101    // nested context: uri component inside an html attribute.
102    // encode from inside out: first percent-encode the query value,
103    // then html-attribute-encode the entire href.
104    let href = format!("/search?q={}", for_uri_component(user_query));
105    println!(r#"  <a href="{}">search</a>"#, for_html_attribute(&href),);
106
107    // actual css string context: a quoted content value in a stylesheet
108    println!(
109        r#"  <style>.msg::after {{ content: "{}"; }}</style>"#,
110        for_css_string(user_css_text),
111    );
112
113    // javascript string inside an event-handler attribute
114    println!(
115        r#"  <button onclick="greet('{}');">hi</button>"#,
116        for_javascript_attribute(user_text),
117    );
118}