不转换字符的转义标签
[英]Escape tags without converting characters
问题描述
I am using jinja2 to safely render templates for email messages from a web contact form.
我正在使用jinja2来安全地呈现来自 Web 联系表单的电子邮件消息模板。 The problem is the characters &, <, >, ', and " are converted to HTML-safe sequences. So问题是字符 &、<、>、' 和 " 被转换为 HTML 安全序列。所以
That's all folks!
becomes变成
That's all folks!
I want to remove any HTML tags to prevent XSS without any without any character encoding.我想删除任何 HTML 标签以防止没有任何字符编码的XSS 。 Is that possible in jinja2?这在jinja2中可能吗?
Note: the striptags utility also converts characters.注意:striptags实用程序也会转换字符。
1 个解决方案
解决方案1
3 已采纳 2012-11-22 04:01:27
I don't think that's possible.我不认为那是可能的。 How would you deal with a message such as That's only true when x<y and x>0 .您将如何处理诸如That's only true when x<y and x>0 。 The parts between < and > are part of the message, but could be interpreted as an (borked) HTML tag. <和>之间的部分是消息的一部分,但可以解释为(borked)HTML 标记。
It's up to the browser to read That's all folks!由浏览器来阅读That's all folks! and display it correctly by decoding the characters.并通过解码字符正确显示它。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.