On 2014-03-26, 9:32 AM, Nuria Ruiz wrote:
>> The issue is that they apply the same escaping, regardless of the
>> html context. So, in Twig and mustache, <div class={{something}}></div> is
>> vulnerable, if something is set to "1234 onClick=doSomething()".
> Right, the engine would render:
>
> <div class=1234 onClick=doSomething()> </div>
>
> because it only escapes HTML by default.
> Now, note that the problem can be fixed with <div class={{makeStringSafe
> something}}>
>
> Where "makestringSafe" is a function defined by us and executed there that
> escapes to our liking.
How does a custom function jammed into the middle of a Mustache template
fix the issue when the issue is not that foo={{something}} doesn't
escape, but is that quoting is needed instead of escaping, and Mustache
isn't context sensitive so neither Mustache or a custom function know
that foo={{something}} is an attribute value in need of quoting?~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/] _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
