You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Handlerbars currently escapes only based on one function and allows users to specify a custom one, but within a certain template execution it only uses one escaping mechanism.
This means that values interpolated in different contexts (html attributes, html text, script, style, urls) are all escaped in the same way, which is known to be a cause for XSS.
This makes tera inherently unsafe. You can read more about it here (please see "Strawman I: Non-contextual auto-sanitization").
This should either be:
clearly documented (see the "least surprise" bits of the linked doc) so that devs are reminded to manually apply the extra escaping needed
fixed by implementing contextual auto escaping (also described in that document)
fixed by providing the current context to the custom user-implemented function and allow users to implement their own contextual auto escaping.
Contextual auto escaping is implemented in many safe templates like Java Soy, Python Soy, Angular templates, Go standard html/template and safehtml/template or Jinja2 (even though in Jinja2 is disabled by default) and others.
The TL;DR of the mechanism is to parse the HTML sources, understand the context that user data is being interpolated in and pick the appropriate escaping function accordingly.
The text was updated successfully, but these errors were encountered:
Handlerbars currently escapes only based on one function and allows users to specify a custom one, but within a certain template execution it only uses one escaping mechanism.
This means that values interpolated in different contexts (html attributes, html text, script, style, urls) are all escaped in the same way, which is known to be a cause for XSS.
This makes tera inherently unsafe. You can read more about it here (please see "Strawman I: Non-contextual auto-sanitization").
This should either be:
Contextual auto escaping is implemented in many safe templates like Java Soy, Python Soy, Angular templates, Go standard html/template and safehtml/template or Jinja2 (even though in Jinja2 is disabled by default) and others.
The TL;DR of the mechanism is to parse the HTML sources, understand the context that user data is being interpolated in and pick the appropriate escaping function accordingly.
The text was updated successfully, but these errors were encountered: