i tried hiccup:
(hiccup.core/html [:h1 "<script>alert('xss');</script>"]) and surprise got alert box, hiccup not escaping strings default. see there's method escape strings, in opinion if it's not default, sooner or later you'll forget , vulnerable xss.
is there way in hiccup have escape strings default?
no, core/h alias escape-html makes more convenient:
(hiccup.core/html [:h1 (hiccup.core/h "<script>alert('xss');</script>")]) 
Comments
Post a Comment