Escape HTML (#366)

2024-11-23 14:31:07 +01:00 · 2020-09-15 01:02:57 +09:00 · 2020-09-15 01:02:57 +09:00 · e3c6a1ec07
commit e3c6a1ec07
parent 49e29a5751
3 changed files with 10 additions and 3 deletions
--- a/todo/Cargo.toml
+++ b/todo/Cargo.toml
@ -15,7 +15,7 @@ futures = "0.3.1"
 log = "0.4.3"
 serde = { version = "1.0.69", features = ["derive"] }
 serde_json = "1.0.22"
-tera = "1.0"
+tera = "1.5.0"

 [dependencies.diesel]
 features = ["postgres", "r2d2"]
--- a/todo/src/main.rs
+++ b/todo/src/main.rs
@ -33,7 +33,14 @@ async fn main() -> io::Result<()> {
    let app = move || {
        debug!("Constructing the App");

-        let templates: Tera = Tera::new("templates/**/*").unwrap();
+        let mut templates = match Tera::new("templates/**/*") {
+            Ok(t) => t,
+            Err(e) => {
+                println!("Parsing error(s): {}", e);
+                ::std::process::exit(1);
+            }
+        };
+        templates.autoescape_on(vec!["tera"]);

        let session_store = CookieSession::signed(SESSION_SIGNING_KEY).secure(false);

--- a/todo/templates/index.html.tera
+++ b/todo/templates/index.html.tera
@ -52,7 +52,7 @@
              {% else %}
                <form action="/todo/{{task.id}}" class="link" method="post">
                  <input type="hidden" name="_method" value="put" />
-                  <button type="submit" class="link">{{ task.description }}</button>
+                  <button type="submit" class="link">{{task.description}}</button>
                </form>
              {% endif %}
            </li>