tokuhirom opened a new pull request #60: Make `js_string` more safety. URL: https://github.com/apache/freemarker/pull/60 I want to escape the `'` and `"` in hex way. For example, there's a template like this. <!doctype html> <html> <#assign v='"<svg/onload=alert(3)>'> <body foo="${v?js_string}"> </body> </html> Rendering result is the following. This HTML shows alerting dialog when you open it on the web browser. It means an attacker can use this for stealing a cookie. <!doctype html> <html> <body foo='\'<svg/onload=alert(3)>'> </body> </html> I know it's a programming issue. Users should use `?html` filter in this context. But some programmers sometimes forgot to apply the filter. The freemarker can reduce the security risk with this patch. Rendering result with this patch is here: <!doctype html> <html> <body foo='\x22<svg/onload=alert(3)>'> </body> </html>
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
