Merge pull request #15398 from RasmusWL/html-escape

Python: Add `html.escape` as HTML sanitizer
2026-04-30 03:05:15 +02:00 · 2024-01-30 16:06:01 +01:00
parent 8aa3542d13 c70b32f7eb
commit c265c15f3f
3 changed files with 42 additions and 0 deletions
--- a/python/ql/test/library-tests/frameworks/stdlib/test_html.py
+++ b/python/ql/test/library-tests/frameworks/stdlib/test_html.py
@@ -0,0 +1,9 @@
+import html
+
+s = "tainted"
+
+html.escape(s) # $ escapeInput=s escapeKind=html escapeOutput=html.escape(..)
+html.escape(s, True) # $ escapeInput=s escapeKind=html escapeOutput=html.escape(..)
+# not considered html escapes, since they don't escape all relevant characters
+html.escape(s, False)
+html.escape(s, quote=False)