Hi Sergei,
XSS escaping is unfortunately not as simple as that. Templating engines are context-aware and can know whether to apply escaping for free-form text or an attribute (which can often also be validated by type), specific tag behaviors, and even whether the output is to be executed as HTML, XML, CSS, JS, etc.
One-size-fits-all escaping that doesn’t take such context into account is not effective and even makes things worse by giving developers a false sense of security.
Cheers,
Andrey.
On Tue, Dec 23, 2025, at 10:55, Andrey Andreev wrote:
Hi Sergei,
XSS escaping is unfortunately not as simple as that. Templating engines are context-aware and can know whether to apply escaping for free-form text or an attribute (which can often also be validated by type), specific tag behaviors, and even whether the output is to be executed as HTML, XML, CSS, JS, etc.
One-size-fits-all escaping that doesn’t take such context into account is not effective and even makes things worse by giving developers a false sense of security.
Cheers,
Andrey.
Hi Andrey,
Which template engines are context aware? The only ones I’m aware of is my own and Latte (which take a similar approach but is quite architecturally different).
— Rob
Hi Rob,
On Tue, Dec 23, 2025 at 12:14 PM Rob Landers rob@bottled.codes wrote:
Which template engines are context aware? The only ones I’m aware of is my own and Latte (which take a similar approach but is quite architecturally different).
Sorry, I don’t have a direct answer to your question. I haven’t written front-end code for a loong time and haven’t needed such tools recently enough to know.
I just meant to say that only a templating engine (or something that would parse the full output) can be context-aware. Although in many cases, where a template engine provides helpers such as those that generate lists or forms, those helpers still have sufficient context.
Cheers,
Andrey.