Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am using jinja2 to safely render templates for email messages from a web contact form. The problem is the characters &, <, >, ‘, and ” are converted to HTML-safe sequences. So
That’s all folks!
becomes
That's all folks!
I want to remove any HTML tags to prevent XSS without any without any character encoding. Is that possible in jinja2?
Note: the striptags utility also converts characters.
I don’t think that’s possible. How would you deal with a message such as
That's only true when x<y and x>0. The parts between<and>are part of the message, but could be interpreted as an (borked) HTML tag.It’s up to the browser to read
That's all folks!and display it correctly by decoding the characters.