1. 26
  1. 6

    Great article! I wonder whether the future of HTML escaping libraries will lie with something like ammonia, which actually parses the HTML before emitting a sanitized version, instead of simple text-replacement - at a certain point, I guess it becomes a better idea to just do what a browser would do in order to ensure that your sanitation worked…

    1. 5

      Yeah, I prefer using DOM functions for everything, including templating. With the DOM, everything gets escaped in proper context and you can do other sanity checks, like always outputting strictly well-formed stuff. A HTML document isn’t really a string and I prefer to avoid pretending it is.

      1. 2

        Do you have a link or example for this method?

      2. 3

        Related; DOMPurify, uses DOM APIs exposed to JavaScript to ensure that browser and sanitizer show the we parsing behavior.

      3. 4

        Corollary: you probably never need to escape >. It’s valid outside tags and also inside quoted attributes (I assume you always quote attributes, or you have bigger problems).

        1. 3

          Oh IE - I had no idea about this one:

          Internet Explorer treats ` as an attribute delimiter

          I’m tempted to leave IE users totally exposed to this one. This security issue IMHO is up to the browser vendor to fix, not the individual pages on the internet.