>How does a custom function jammed into the middle of a Mustache template >fix the issue when the issue is not that foo={{something}} doesn't >escape, but is that quoting is needed instead of escaping, and Mustache >isn't context sensitive so neither Mustache or a custom function know >that foo={{something}} is an attribute value in need of quoting?
Sorry but I think you might have missunderstood Chris' example. Attributes should not need any quoting, that is not a real use case. Place holders are replaced by attributes that might be extra-escaped but in any case the template engine should infer anything as to the content being replaced. The expected outcome after substitution should be: <div class=some-escaped-text> </div> On Wed, Mar 26, 2014 at 5:44 PM, Daniel Friesen <dan...@nadir-seen-fire.com>wrote: > On 2014-03-26, 9:32 AM, Nuria Ruiz wrote: > >> The issue is that they apply the same escaping, regardless of the > >> html context. So, in Twig and mustache, <div class={{something}}></div> > is > >> vulnerable, if something is set to "1234 onClick=doSomething()". > > Right, the engine would render: > > > > <div class=1234 onClick=doSomething()> </div> > > > > because it only escapes HTML by default. > > Now, note that the problem can be fixed with <div class={{makeStringSafe > > something}}> > > > > Where "makestringSafe" is a function defined by us and executed there > that > > escapes to our liking. > How does a custom function jammed into the middle of a Mustache template > fix the issue when the issue is not that foo={{something}} doesn't > escape, but is that quoting is needed instead of escaping, and Mustache > isn't context sensitive so neither Mustache or a custom function know > that foo={{something}} is an attribute value in need of quoting? > > ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/] > > > > _______________________________________________ > Wikitech-l mailing list > Wikitech-l@lists.wikimedia.org > https://lists.wikimedia.org/mailman/listinfo/wikitech-l > _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l