On 03/30/2014 02:23 AM, Nuria Ruiz wrote:
> What I am saying is that the parsing and escaping scheme we need is much
> simpler if you disallow the use case of passing the template engine
> something that is not data.
>
> Let me explain as this as it has to do more with correctness that with
> security per se:
> A template engine objective is to separate data from markup. In your
> example you are passing the template 'class="anything"' or
> 'onclick="something"' neither "class" nor "onclick" are data.
The example might not have been the most helpful one. Consider a handlebars
template like this:
<a href="{{url}}">{{title}}</a>
Even with double-stashes you'll be in trouble if your url data happens to be
'javascript:alert(cookie)'. For this you need special and ideally automatic
sanitization for href attributes (and src & style), which is what
KnockOff/TAssembly provides.
Gabriel
_______________________________________________
Wikitech-l mailing list
Wikitech-l@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/wikitech-l
