stackoom
  简体   繁体   中英

Escape tags without converting characters

 原文  2012-11-22 03:53:00       python/ html/ email/ jinja2

Question

I am using jinja2 to safely render templates for email messages from a web contact form. The problem is the characters &, <, >, ', and " are converted to HTML-safe sequences. So

That's all folks!

becomes

That&#39;s all folks!

I want to remove any HTML tags to prevent XSS without any without any character encoding. Is that possible in jinja2?

Note: the striptags utility also converts characters.

1 answers

solution1
 3 ACCPTED  2012-11-22 04:01:27

I don't think that's possible. How would you deal with a message such as That's only true when x<y and x>0 . The parts between < and > are part of the message, but could be interpreted as an (borked) HTML tag.

It's up to the browser to read That&#39;s all folks! and display it correctly by decoding the characters.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Converting characters to their python escape sequences How to use escape characters in python fstrings deprecated, without converting to raw string Python - Converting a string with escape characters to json Converting Java escape characters & emojis in a sentence with Python JSON object with single quotes without escape characters Print LIST of unicode chars without escape characters Converting string to tuple without splitting characters How to escape Python Regex special characters without using backslash R system call returning stdin without escape characters Which is the correct way to encode escape characters in Python 2 without killing Unicode?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM