I am using jinja2 to safely render templates for email messages from a web contact form. The problem is the characters &, <, >, ', and " are converted to HTML-safe sequences. So
That's all folks!
becomes
That's all folks!
I want to remove any HTML tags to prevent XSS without any without any character encoding. Is that possible in jinja2?
Note: the striptags utility also converts characters.
I don't think that's possible. How would you deal with a message such as That's only true when x<y and x>0
. The parts between <
and >
are part of the message, but could be interpreted as an (borked) HTML tag.
It's up to the browser to read That's all folks!
and display it correctly by decoding the characters.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.