⚾︎
2023-08-17
From Filing a doc bug on a related topic. Why do Jinja and Tera templates automatically escape the contents of variable references when rendering them in a potential URL or HTML context?
Tera's auto-escaping behavior follows the recommendations of the OWASP Cross-Site Scripting cheatsheet page. The context of the cheatsheet is Javascript generated content, potentially compromisable by an attacker. The Zola static site generator uses Tera in a context that doesn't expose this data to the same attacks as dynamically generated web content.
But their XSS page is only one of a bigger series.
OWASP Cheatsheet Series: https://cheatsheetseries.owasp.org/ (also has a "download whole site" link bundle.zip and an Atom RSS feed News.xml!) OWASP Cheatsheet Project Home: https://owasp.org/www-project-cheat-sheets/ "Flagship Project"
So: Today I Learned about the OWASP Cheatsheet Series, and now you did too.