Databases
StackOverflow2013
Postsdbo
POGuide to proper escaping in Play framework
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POGuide to proper escaping in Play framework
    primarykey
    data
    text
    <p>I'm trying to map out how the Play framework supports escaping.</p> <p>This is a nice page spelling out the needed functionality: <a href="https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet" rel="nofollow noreferrer">https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet</a></p> <p>So I'm trying to relate that to Play template features and fully understand what Play does and doesn't do.</p> <ul> <li>HTML escaping: <code>${}</code> or the <code>escape()</code> function</li> <li>Attribute escaping: I can't find a built-in solution</li> <li>JavaScript escaping: there's an <code>escapeJavaScript()</code> <a href="http://www.playframework.org/documentation/1.2/javaextensions" rel="nofollow noreferrer">http://www.playframework.org/documentation/1.2/javaextensions</a></li> <li>CSS escaping: I can't find a built-in solution</li> <li>URL escaping: nothing special built-in, but usual Java solution e.g. <a href="https://stackoverflow.com/questions/607176/java-equivalent-to-javascripts-encodeuricomponent-that-produces-identical-output">Java equivalent to JavaScript&#39;s encodeURIComponent that produces identical output?</a> - Update: there's urlEncode() at <a href="http://www.playframework.org/documentation/1.2/javaextensions" rel="nofollow noreferrer">http://www.playframework.org/documentation/1.2/javaextensions</a></li> </ul> <p>Another point of confusion is the support for <code>index.json</code> (i.e. using templates to build JSON instead of HTML). Does <code>${}</code> magically switch to JavaScript escaping in a JSON document, or does it still escape HTML, so everything in a JSON template has to have an explicit <code>escapeJavaScript()</code>?</p> <p>There's also an addSlashes() on <a href="http://www.playframework.org/documentation/1.2/javaextensions" rel="nofollow noreferrer">http://www.playframework.org/documentation/1.2/javaextensions</a> , but it doesn't seem quite right for any of the situations I can think of. (?)</p> <p>It would be great to have a thorough guide on how to do all the flavors of escaping in Play. It looks to me like the answer is "roll your own" in several cases but maybe I'm missing what's included. </p>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USCommunity
    1. USHavoc P
    plurals
    1. PL
      singulars
      1. LTLinked
    2. PL
      singulars
      1. LTLinked
    1. PL
      singulars
      1. LTLinked
    2. PL
      singulars
      1. LTLinked
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    2. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POGuide to proper escaping in Play framework
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POGuide to proper escaping in Play framework
      1. USHavoc P
      1. VTBountyStart
    3. VO
      singulars
      1. POGuide to proper escaping in Play framework
      1. This table or related slice is empty.
      1. VTUpMod
    1. COAdded a bounty. I think a great answer would look like a Play-specific version of https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet showing exactly what to do in code and template, and would also cover JSON templates.
      singulars
      1. POGuide to proper escaping in Play framework
      1. USHavoc P
    2. COYou could certainly contribute the answer as a patch to the Play docs, as well!
      singulars
      1. POGuide to proper escaping in Play framework
      1. USHavoc P
    3. COanother useful utility might be "asJavascriptString()" converting to a JS string literal.
      singulars
      1. POGuide to proper escaping in Play framework
      1. USHavoc P
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload