rails-security-checklist icon indicating copy to clipboard operation
rails-security-checklist copied to clipboard

Published 20 hours ago verified publisher icon eliotsykes

Mention Liquid insecure default: rendering does not escape interpolated variables

Open eliotsykes opened this issue 7 years ago • 0 comments

This may surprise developers used to other templating engines used in Rails, but, at time of writing, Liquid does not behave like ERB/HAML templates in Rails where interpolated values are escaped by default.

Liquid does not escape interpolated values and does not have an option (at time of writing) to configure this to be the default. The developer needs to remember each and every time to escape user-supplied values to prevent attackers inserting their choice of HTML into emails and pages that use Liquid for templating.

eliotsykes avatar Jan 04 '18 17:01 eliotsykes