On 2014-03-26, 10:15 AM, Nuria Ruiz wrote:
>> How does a custom function jammed into the middle of a Mustache template
>> fix the issue when the issue is not that foo={{something}} doesn't
>> escape, but is that quoting is needed instead of escaping, and Mustache
>> isn't context sensitive so neither Mustache or a custom function know
>> that foo={{something}} is an attribute value in need of quoting?
> Sorry but I think you might have missunderstood Chris' example. Attributes
> should not need any quoting, that is not a real use case. Place holders are
> replaced by attributes that might be extra-escaped but in any case the
> template engine should infer anything as to the content being replaced.
>
> The expected outcome after substitution should be: <div
> class=some-escaped-text> </div>
And Chris explained that if 'something' was 'some-text
onclick=doSomething()' instead of 'some-text' then instead of:<div class=some-escaped-text> </div> The template engine would output: <div class=some-escaped-text onclick=doSomething()> </div> Creating an XSS vector. ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/] _______________________________________________ Wikitech-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/wikitech-l
