On 03/30/2014 02:23 AM, Nuria Ruiz wrote: > What I am saying is that the parsing and escaping scheme we need is much > simpler if you disallow the use case of passing the template engine > something that is not data. > > Let me explain as this as it has to do more with correctness that with > security per se: > A template engine objective is to separate data from markup. In your > example you are passing the template 'class="anything"' or > 'onclick="something"' neither "class" nor "onclick" are data.
The example might not have been the most helpful one. Consider a handlebars template like this: <a href="{{url}}">{{title}}</a> Even with double-stashes you'll be in trouble if your url data happens to be 'javascript:alert(cookie)'. For this you need special and ideally automatic sanitization for href attributes (and src & style), which is what KnockOff/TAssembly provides. Gabriel _______________________________________________ Wikitech-l mailing list Wikitech-l@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/wikitech-l