Merge pull request goldbergyoni#926 from forresst/patch-2

escape-output.md: Improved markdown rendering
uyefe · Mar 26, 2021 · a62f834 · a62f834
2 parents 118da6f + 23c83a7
commit a62f834
Showing 1 changed file with 13 additions and 8 deletions.
diff --git a/sections/security/escape-output.md b/sections/security/escape-output.md
@@ -38,13 +38,18 @@ HTML and other web languages mix content with executable code - a single HTML pa
 
 From the Blog [benramsey.com](https://benramsey.com/articles/escape-output/)
 > Data may leave your application in the form of HTML sent to a Web browser, SQL sent to a database, XML sent to an RSS reader, WML sent to a wireless device, etc. The possibilities are limitless. Each of these has its own set of special characters that are interpreted differently than the rest of the plain text received. Sometimes we want to send these special characters so that they are interpreted (HTML tags sent to a Web browser, for example), while other times (in the case of input from users or some other source), we don’t want the characters to be interpreted, so we need to escape them.
-
-> Escaping is also sometimes referred to as encoding. In short, it is the process of representing data in a way that it will not be executed or interpreted. For example, HTML will render the following text in a Web browser as bold-faced text because the <strong> tags have special meaning: 
-<strong>This is bold text.</strong>
-But, suppose I want to render the tags in the browser and avoid their interpretation. Then, I need to escape the angle brackets, which have special meaning in HTML. The following illustrates the escaped HTML:
-
-&lt;strong&gt;This is bold text.&lt;/strong&gt;
-
+>
+> Escaping is also sometimes referred to as encoding. In short, it is the process of representing data in a way that it will not be executed or interpreted. For example, HTML will render the following text in a Web browser as bold-faced text because the `<strong>` tags have special meaning:
+>
+> ```html
+> <strong>This is bold text.</strong>
+> ```
+>
+> But, suppose I want to render the tags in the browser and avoid their interpretation. Then, I need to escape the angle brackets, which have special meaning in HTML. The following illustrates the escaped HTML:
+>
+> ```html
+> &lt;strong&gt;This is bold text.&lt;/strong&gt;
+> ```
 
 <br/><br/>
 
@@ -59,4 +64,4 @@ From the blog OWASP [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://
 ### Blog Quote: "You MUST use the escape syntax for the part of the HTML"
 
 From the blog OWASP [XSS (Cross Site Scripting) Prevention Cheat Sheet](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet)
-> "But HTML entity encoding doesn't work if you're putting untrusted data inside a <script> tag anywhere, or an event handler attribute like onmouseover, or inside CSS, or in a URL. So even if you use an HTML entity encoding method everywhere, you are still most likely vulnerable to XSS. You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into."
+> "But HTML entity encoding doesn't work if you're putting untrusted data inside a `<script>` tag anywhere, or an event handler attribute like onmouseover, or inside CSS, or in a URL. So even if you use an HTML entity encoding method everywhere, you are still most likely vulnerable to XSS. You MUST use the escape syntax for the part of the HTML document you're putting untrusted data into."