1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58
/// Escape HTML following [OWASP](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet) /// /// Escape the following characters with HTML entity encoding to prevent switching /// into any execution context, such as script, style, or event handlers. Using /// hex entities is recommended in the spec. In addition to the 5 characters /// significant in XML (&, <, >, ", '), the forward slash is included as it helps /// to end an HTML entity. /// /// ```text /// & --> & /// < --> < /// > --> > /// " --> " /// ' --> ' ' is not recommended /// / --> / forward slash is included as it helps end an HTML entity /// ``` #[inline] // TODO: check if the inline matters in benches pub fn escape_html(input: &str) -> String { let mut output = String::with_capacity(input.len() * 2); for c in input.chars() { match c { '&' => output.push_str("&"), '<' => output.push_str("<"), '>' => output.push_str(">"), '"' => output.push_str("""), '\'' => output.push_str("'"), '/' => output.push_str("/"), // Additional one for old IE (unpatched IE8 and below) // See https://github.com/OWASP/owasp-java-encoder/wiki/Grave-Accent-Issue '`' => output.push_str("`"), _ => output.push(c) } } // Not using shrink_to_fit() on purpose output } #[cfg(test)] mod tests { use super::{escape_html}; #[test] fn test_escape_html() { let tests = vec![ (r"a&b", "a&b"), (r"<a", "<a"), (r">a", ">a"), (r#"""#, """), (r#"'"#, "'"), (r#"大阪"#, "大阪"), ]; for (input, expected) in tests { assert_eq!(escape_html(input), expected); } } }