On Wed, Mar 26, 2014 at 10:30 AM, Nuria Ruiz <nu...@wikimedia.org> wrote:
> >Additionally, how you escape a plain parameter like class vs. an
> >href vs. a parameter that is inserted into a url vs. an id attribute are
> >all different escaping strategies.
> Urls in the template engine need to be handled on their own, sure. But what
> template engine does not work in this fashion? There are three separate
> "entities" you normally deal with when doing replacement: translations,
> urls and plain attributes.
>
>
> >$html = Html::element( 'div', array( 'class' => $anything ), $anythingElse
> I see. Sorry but where I disagree is that the "quote me this replacement"
> is a lawful case for the template engine.
I'm not sure I understand what you're saying here. Do you mean
makesafeString in your example shouldn't quote the text, but should instead
remove space characters?
> The line above is doing a lot
> more than purely templating and on my opinion it does little to separate
> data and markup. Which is the very point of having a template engine.
>
> But if you consider that one a lawful use case, you are right. The example
> I provided does not help you.
>
>
> On Wed, Mar 26, 2014 at 6:15 PM, Chris Steipp <cste...@wikimedia.org>
> wrote:
>
> > On Wed, Mar 26, 2014 at 9:44 AM, Daniel Friesen
> > <dan...@nadir-seen-fire.com>wrote:
> >
> > > On 2014-03-26, 9:32 AM, Nuria Ruiz wrote:
> > > >> The issue is that they apply the same escaping, regardless of the
> > > >> html context. So, in Twig and mustache, <div
> > class={{something}}></div>
> > > is
> > > >> vulnerable, if something is set to "1234 onClick=doSomething()".
> > > > Right, the engine would render:
> > > >
> > > > <div class=1234 onClick=doSomething()> </div>
> > > >
> > > > because it only escapes HTML by default.
> > > > Now, note that the problem can be fixed with <div
> > class={{makeStringSafe
> > > > something}}>
> > > >
> > > > Where "makestringSafe" is a function defined by us and executed there
> > > that
> > > > escapes to our liking.
> > > How does a custom function jammed into the middle of a Mustache
> template
> > > fix the issue when the issue is not that foo={{something}} doesn't
> > > escape, but is that quoting is needed instead of escaping, and Mustache
> > > isn't context sensitive so neither Mustache or a custom function know
> > > that foo={{something}} is an attribute value in need of quoting?
> > >
> >
> > Exactly. Additionally, how you escape a plain parameter like class vs. an
> > href vs. a parameter that is inserted into a url vs. an id attribute are
> > all different escaping strategies. So there would be many different
> > "makeXXXXStringSafe" and probably "quoteAndMakeXXXXStringSafe" functions,
> > and code review would have to make sure the right one was being used in
> the
> > right place. Which means someone who is familiar with all of the xss
> > techniques would need to code review almost all the templates.
> >
> > For comparison, using our current html templating (as much as it sucks):
> >
> > $html = Html::element( 'div', array( 'class' => $anything ),
> $anythingElse
> > );
> >
> > The developer doesn't need to have any knowledge of what escaping needs
> to
> > apply to the class attribute vs the text.
> >
> >
> >
> > > ~Daniel Friesen (Dantman, Nadir-Seen-Fire) [http://danielfriesen.name/
> ]
> > >
> > >
> > >
> > _______________________________________________
> > Wikitech-l mailing list
> > Wikitech-l@lists.wikimedia.org
> > https://lists.wikimedia.org/mailman/listinfo/wikitech-l
> >
> _______________________________________________
> Wikitech-l mailing list
> Wikitech-l@lists.wikimedia.org
> https://lists.wikimedia.org/mailman/listinfo/wikitech-l
>
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
