Re: [Wikitech-l] HTML templating systems & MediaWiki - is this summary right?

Wed, 26 Mar 2014 10:16:32 -0700 

>How does a custom function jammed into the middle of a Mustache template
>fix the issue when the issue is not that foo={{something}} doesn't
>escape, but is that quoting is needed instead of escaping, and Mustache
>isn't context sensitive so neither Mustache or a custom function know
>that foo={{something}} is an attribute value in need of quoting?

Sorry but I think you might have missunderstood Chris' example. Attributes
should not need any quoting, that is not a real use case. Place holders are
replaced by attributes that might be extra-escaped but in any case the
template engine should infer anything as to the content being replaced.

The expected outcome after substitution should be: <div
class=some-escaped-text> </div>








On Wed, Mar 26, 2014 at 5:44 PM, Daniel Friesen
<dan...@nadir-seen-fire.com>wrote:

> On 2014-03-26, 9:32 AM, Nuria Ruiz wrote:
> >> The issue is that they apply the same escaping, regardless of the
> >> html context. So, in Twig and mustache, <div class={{something}}></div>
> is
> >> vulnerable, if something is set to "1234 onClick=doSomething()".
> > Right, the engine would render:
> >
> > <div class=1234 onClick=doSomething()> </div>
> >
> > because it only escapes HTML by default.
> > Now, note that the problem can be fixed with <div class={{makeStringSafe
> > something}}>
> >
> > Where "makestringSafe" is a function defined by us and executed there
> that
> > escapes to our liking.
> How does a custom function jammed into the middle of a Mustache template
> fix the issue when the issue is not that foo={{something}} doesn't
> escape, but is that quoting is needed instead of escaping, and Mustache
> isn't context sensitive so neither Mustache or a custom function know
> that foo={{something}} is an attribute value in need of quoting?
>
> ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/]
>
>
>
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l

Reply via email to