Template code | Chunk output | |
---|---|---|
{#example_1} {!-- The htmlescape and escapequotes filters, plus defang -- and some suggestions on where to use them. -- -- Cross-site scripting (XSS) attacks can be avoided -- with careful use of escape-filters. By hardening -- your templates against abuse, your java code is -- relieved of this burden. --} <h2>The WRONG way:</h2> <form> <input name="full_name" value="{$name_a}" /> </form> <script> var x = '{$name_b}'; var y = '{$name_c}'; </script> <div> I trust this {$output} </div> <hr/> <h2>The RIGHT way:</h2> <form> <input name="full_name" value="{$name_a|htmlescape}" /> </form> <script> var x = '{$name_b|escapequotes}'; var y = '{$name_c|escapequotes}'; </script> <div> I don't trust this {$output|defang} </div> {#} Theme theme = new Theme("examples"); // Fetch template from this file: themes/examples/escapes.chtml // Inside that file there is a template "snippet" named #example_1 Chunk html = theme.makeChunk("escapes#example_1"); // let's try to sneak some malicious values into the template html.set("name_a","Eddy \"Crazy Eddy\" Robslovsky"); html.set("name_b","Mad \"Meanie\" McEvil'+doMeanThing()+'"); html.set("name_c","Backslash-\\B\\o\\b \"Confused\" O'Malley"); html.set("output","<script>attack()</script>"); html.render( out ); |
|
<h2>The WRONG way:</h2> <form> <input name="full_name" value="Eddy "Crazy Eddy" Robslovsky" /> </form> <script> var x = 'Mad "Meanie" McEvil'+doMeanThing()+''; var y = 'Backslash-\B\o\b "Confused" O'Malley'; </script> <div> I trust this <script>attack()</script> </div> <hr/> <h2>The RIGHT way:</h2> <form> <input name="full_name" value="Eddy "Crazy Eddy" Robslovsky" /> </form> <script> var x = 'Mad \"Meanie\" McEvil\'+doMeanThing()+\''; var y = 'Backslash-\\B\\o\\b \"Confused\" O\'Malley'; </script> <div> I don't trust this scriptattack()/script </div> The WRONG way:
I trust this
The RIGHT way:
I don't trust this scriptattack()/script
|
Template code | Chunk output | |
---|---|---|
{#example_2} {!-- urlencode, urldecode. TODO: improve this example... --} <a href="http://www.example.com/cgi-bin/record_action?url={$url|urlencode}">Click here</a> <p>The query string was: {$query_string|urldecode}. {#} Theme theme = new Theme("examples"); // Fetch template from this file: themes/examples/escapes.chtml // Inside that file there is a template "snippet" named #example_2 Chunk html = theme.makeChunk("escapes#example_2"); html.set("url","http://www.x5software.com/chunk/wiki/"); html.set("query_string","x=y&z=w&god_particle=higgs%20boson"); html.render( out ); |
|
<a href="http://www.example.com/cgi-bin/record_action?url=http%3A%2F%2Fwww.x5software.com%2Fchunk%2Fwiki%2F">Click here</a> <p>The query string was: x=y&z=w&god_particle=higgs boson.
Click here
The query string was: x=y&z=w&god_particle=higgs boson. |