On Tue, Dec 23, 2025, at 10:55, Andrey Andreev wrote: > Hi Sergei, > > XSS escaping is unfortunately not as simple as that. Templating engines are > context-aware and can know whether to apply escaping for free-form text or an > attribute (which can often also be validated by type), specific tag > behaviors, and even whether the output is to be executed as HTML, XML, CSS, > JS, etc. > > One-size-fits-all escaping that doesn't take such context into account is not > effective and even makes things worse by giving developers a false sense of > security. > > Cheers, > Andrey.
Hi Andrey, Which template engines are context aware? The only ones I'm aware of is my own and Latte (which take a similar approach but is quite architecturally different). — Rob
