Automatically escaping HTML with Hiccup, is it possible?

Question

I just tried this with Hiccup:

(hiccup.core/html [:h1 "<script>alert('xss');</script>"])

and to my surprise I got an alert box, Hiccup is not escaping strings by default. I see that there's a method to escape strings, but in my opinion if it's not the default, sooner or later you'll forget and be vulnerable to XSS.

Is there a way in Hiccup to have it escape strings by default?

HTH: https://github.com/weavejester/hiccup/issues/5 – ClojureMostly Jul 11 '15 at 21:51 — ClojureMostly, Jul 11 '15 at 21:51

score 4 · Answer 1 · answered Sep 02 '18 at 15:42

hiccup 2.0.0-alpha1 has escaping by default. You just need to change the hiccup.core/html call to hiccup2.core/html and it should work without any change.

(str (hiccup2.core/html [:h1 "<script>alert('xss');</script>"]))

I've upgraded my project from 1.0.5 and it's working without any regression.

score 2 · Answer 2 · answered Jul 11 '15 at 20:37

2

No, but core/h is an alias for escape-html that makes it slightly more convenient:

(hiccup.core/html [:h1 (hiccup.core/h "<script>alert('xss');</script>")])

answered Jul 11 '15 at 20:37

John Wiseman

3,081
1
22
31

Automatically escaping HTML with Hiccup, is it possible?

2 Answers2