diff --git a/src/utils.rs b/src/utils.rs index 67a39fec..49d5f270 100644 --- a/src/utils.rs +++ b/src/utils.rs @@ -1,21 +1,28 @@ use crate::errors::Error; -/// Escape HTML following [OWASP](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet) +/// Escape text for inclusion in HTML or XML body text or quoted attribute values. /// -/// Escape the following characters with HTML entity encoding to prevent switching -/// into any execution context, such as script, style, or event handlers. Using -/// hex entities is recommended in the spec. In addition to the 5 characters -/// significant in XML (&, <, >, ", '), the forward slash is included as it helps -/// to end an HTML entity. +/// This escapes more than is ever necessary in any given place, so that one method can be used for +/// almost forms of escaping ever needed in both HTML and XML. Here’s all that you actually *need* +/// to escape: /// -/// ```text -/// & --> & -/// < --> < -/// > --> > -/// " --> " -/// ' --> ' ' is not recommended -/// / --> / forward slash is included as it helps end an HTML entity -/// ``` +/// - In HTML body text: `<` and `&`; +/// - In HTML quoted attribute values: `&` and the quote (`'` or `"`); +/// - In XML body text: `<`, `>` and `&`; +/// - In XML quoted attribute values: `<`, `>`, `&` and the quote (`'` or `"`). +/// +/// This method is only certified for use in these contexts. It may not be suitable in other +/// contexts; for example, inside a ``, +/// `