[
https://issues.apache.org/jira/browse/FREEMARKER-189?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17410656#comment-17410656
]
Dániel Dékány commented on FREEMARKER-189:
------------------------------------------
I'm not sure how JSP comes here. I will assume this is all about FTL actually.
So, if you have {{onclick="submit('${btnOnClick}')"}}, then the correct
escaping is {{onclick="submit('${btnOnClick?js_string?html}')"}}. That's
because {{?html}} only escapes the things that have special to HTML (as the
name implies). Similarly, {{?js_string}} only escapes the things that have
special meaning inside JavaScript string literals.
It's not possible to escape characters that are special in JavaScript string
literals via {{?html}}, since in JavaScript string literals you have to escape
with \ (backslash), and if the inserted text is outside a JavaScript string
literal, then the \ will be displayed as is, since it's not a special character
in HTML.
By the way, I strongly recommend using HTML auto-escaping instead of {{?html
(see in the Manual)}}. Then this thing will become
{{onclick="submit('${btnOnClick?js_string}')"}}, and most other manual escaping
will be gone. Then people can't accidentally forget adding them. If, however,
you are inside JavaScript, you must always consider additional escaping, or
other input validation. There's no way around that, since FreeMarker doesn't
interpret the static text parts, so it doesn't know the context of the
interpolation.
> The Built-in constructs like "?html" has security issues
> --------------------------------------------------------
>
> Key: FREEMARKER-189
> URL: https://issues.apache.org/jira/browse/FREEMARKER-189
> Project: Apache Freemarker
> Issue Type: Bug
> Components: jsp
> Affects Versions: 2.3.28, 2.3.29
> Environment: just normal environment, no special
> Reporter: PowerCOM_STARWAR
> Priority: Major
> Labels: security
> Attachments: StringUtil.java
>
> Original Estimate: 1h
> Remaining Estimate: 1h
>
> 1. When i develop the JSP page, for the reason of security, i use the "?html"
> to encode the attribute "onclick" in the button.ftl as below:
> <span id="${btnID?html}" style="${(style!'')?html}" tabindex="0" class="
> ${(css!'')?html}" <@htmc.disabled /> <#if
> btnTitle!=''>title="${btnTitle?html}"</#if><#lt>
> <#if btnOnClick??> *onclick="${btnOnClick?html}"*</#if> > <#lt>
> 2. in the jsp b.jsp, i write as this: <powercom: button id="game"
> onclick="submit('${name}')" />;
> 3. The varaible name comes from another page a.jsp,user can input the value
> for the parameter: name,then user can jump to b.jsp;
> 4. if i input the value for name is "'*);console.log(1)//*" or
> "'*);alert(1)//*" in a.jsp, attention, it simulates an attack, it will be
> executed when i jump to the b.jsp,the varaiable "*btnOnClick*" will be
> assigned with the value "*submit('${name}')*", then the attack statement is
> spliced as this: onclick="submit('');*alert(1)*//')"; and the page pop up a
> msgbox,shows "1".
> 5.because the build-in construct: "?html" does not escape the left and right
> parentheses: "( " and ")", the attack statements can be executed. I think
> the left and right parentheses: "( " and ")" should be escaped for the
> "?html" build-in construct because of security. Thanks
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
