[英]Escape tags without converting characters
I am using jinja2 to safely render templates for email messages from a web contact form.我正在使用jinja2来安全地呈现来自 Web 联系表单的电子邮件消息模板。 The problem is the characters &, <, >, ', and " are converted to HTML-safe sequences. So
问题是字符 &、<、>、' 和 " 被转换为 HTML 安全序列。所以
That's all folks!
这就是所有的人!
becomes变成
That's all folks!
I want to remove any HTML tags to prevent XSS without any without any character encoding.我想删除任何 HTML 标签以防止没有任何字符编码的XSS 。 Is that possible in jinja2?
这在jinja2中可能吗?
Note: the striptags utility also converts characters.注意:striptags实用程序也会转换字符。
I don't think that's possible.我不认为那是可能的。 How would you deal with a message such as
That's only true when x<y and x>0
.您将如何处理诸如
That's only true when x<y and x>0
。 The parts between <
and >
are part of the message, but could be interpreted as an (borked) HTML tag. <
和>
之间的部分是消息的一部分,但可以解释为(borked)HTML 标记。
It's up to the browser to read That's all folks!
由浏览器来阅读
That's all folks!
and display it correctly by decoding the characters.并通过解码字符正确显示它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.