XSS escapers #473
Description
A simple, flexible XSS escape mechanism will be added to Request object and related methods: param, header, etc.... XSS API will be part of the core and a html escaper will be provided from Guava HtmlEscapers. They need to be provided via module.
{
use(new XSS());
get("/", req -> {
// escape `text` param by applying html and/or javascript escapers
String text = req.param("text", "html", "js");
return text;
});
}- The
htmlandjsXSS escapers are provided by aXSSmodule. - An XSS module must provide one or more escapers
- Missing escapers are silently ignored.