plush icon indicating copy to clipboard operation
plush copied to clipboard

Published 20 hours ago verified publisher icon gobuffalo

Escaping JS for html <script> tags

Open lukasschlueter opened this issue 7 years ago • 2 comments

Partials in html <script> tags don't get escaped, possibly breaking JS code.

<!-- sample.html -->
<h1>Some HTML with JS</h1>

<script>
    console.log("<%= partial("someText.txt") %>")
</script>

// _someText.txt
Text with characters "breaking" the JS 'code'

_someText.txt would not get JS escaped as the content-type is text/html.

I don't know a simple way to fix this and I'm not sure if we should escape it. From my understanding, this would be a lot of work including teaching plush how to parse html.

Originally posted by @lukasschlueter in https://github.com/gobuffalo/plush/pull/77#issuecomment-442239181

lukasschlueter avatar Nov 28 '18 23:11 lukasschlueter

As @sio4 stated, it's possible to use this in a safe way:

<!-- fixed.html -->
<h1>Some HTML with JS</h1>

<script>
    <% let message = partial("someText.txt") %>
    console.log("<%= jsEscape(inspect(message)) %>")
</script>

Printing Text with characters &#34;breaking&#34; the JS &#39;code&#39; to console

lukasschlueter avatar Nov 28 '18 23:11 lukasschlueter

I think this issue is not so important and improving this is much expensive than we can get. we can just document this possibility (or caution) which is coming from the nature of HTML.

sio4 avatar Nov 29 '18 10:11 sio4

I think this issue is not so important and improving this is much expensive than we can get. we can just document this possibility (or caution) which is coming from the nature of HTML.

Long and old story :-) Oh, my explanation in English was not as good as always :-) Sorry for my poor English. Maybe what I wanted to tell is not about "the importancy" but about the trade-off between possibility+efficiency and the effect of the result.

As the example shows, the issue is not directly caused by the partial helper but is caused by the usage of the parsed content. When the partial function does its job, it focuses on the given information (via Context) and that is the only information. the function cannot see how it will be used after it returns the value, so it cannot conditionally handle it when it escapes or when just as is.

The usage is the user's own thing, so users (developers) need to be careful about it if they use the partial helper for end-user generated content. We may be able to consider a force escape option via context but I feel it is too much.

I am going to close this long (including the history of the original PR #77) and old issue today, but please feel free to reopen it if you feel this issue is critical. Better examples and descriptions will help to triage the issue more. PR is also welcome.

Additionally, The behavior of the partial function regarding this issue could be found in:

https://github.com/gobuffalo/plush/blob/2719ced49d7361cc8a2e30d6f66621989daf4cf9/partial_helper_test.go#L189-L235

sio4 avatar Sep 05 '22 01:09 sio4