template7 icon indicating copy to clipboard operation
template7 copied to clipboard

Published 20 hours ago verified publisher icon nolimits4web

Escaping bug

Open monolithed opened this issue 9 years ago • 10 comments

1st problem

1.

Params
{
    text: '<script>alert(1)<\/script>'
}
Template
{{text}}
Output

Empty string

2.

Params

{
    text: '<foo>alert(1)<\/foo>'
}
Template
{{text}}
Output
alert(1)

3.

Params

{
    text: '&lt;foo&gt;alert(1)&lt;/foo&gt;'
}
Template
{{text}}
Output
<foo>alert(1)</foo>

Expected

Output
<foo>alert(1)</foo>

For all use-cases!

2nd problem

Params

{
    text: '&lt;foo&gt;alert(1)&lt;/foo&gt;'
}
Template
{{{text}}}
Output

Error

Expected

&lt;foo&gt;alert(1)&lt;/foo&gt;

Should work like Handlebars

monolithed avatar Jun 17 '15 02:06 monolithed

I am not sure did you really test it with Template7, because each of output is not what you get in Template7:

You write:
'<script>alert(1)<\/script>' -> Empty string
But actually:
'<script>alert(1)<\/script>' -> '<script>alert(1)</script>'

You write:
'<foo>alert(1)<\/foo>' -> Empty string
But actually:
'<foo>alert(1)<\/foo>' -> '<foo>alert(1)</foo>'

You write:
'&lt;foo&gt;alert(1)&lt;/foo&gt;' -> '<foo>alert(1)</foo>'
But actually:
'&lt;foo&gt;alert(1)&lt;/foo&gt;' -> '&lt;foo&gt;alert(1)&lt;/foo&gt;'

You write:
'<script>alert(1)<\/script>' -> Empty string
But actually:
'<script>alert(1)<\/script>' -> '<script>alert(1)</script>'

You write:
'&lt;foo&gt;alert(1)&lt;/foo&gt;' + {{{text}}} -> Error
But actually:
'&lt;foo&gt;alert(1)&lt;/foo&gt;' + {{{text}}} -> '{&lt;foo&gt;alert(1)&lt;/foo&gt;}'

nolimits4web avatar Jun 20 '15 11:06 nolimits4web

Yeap, I can replicate it.

My bower file:

    "dependencies": {
        "framework7": "1.0.6",
        "template7" : "1.0.5",
        "handlebars": "3.0.3",
        "requirejs" : "2.1.18",
        "text"      : "2.0.14"
    }

monolithed avatar Jun 20 '15 13:06 monolithed

Ok, type in browser console:

Template7.compile('{{text}}')({text:'<script>alert(1)<\/script>'});

You will not see empty string as you wrote

nolimits4web avatar Jun 20 '15 13:06 nolimits4web

It's true.

I mean

Dom7('body').html(Template7.compile('{{text}}')({text:'<script>alert(1)<\/script>'}))

monolithed avatar Jun 20 '15 13:06 monolithed

This is a different. Template7 doesn't do any escaping like Handlebars. If you need it, you may use encode helper which is released in latest version, like {{encode text}}

nolimits4web avatar Jun 20 '15 17:06 nolimits4web

Actually the encoding should be used by default to prevent XSS-like attacks. You'd pay attention to other template engines like Jade, Handlebars, Fest are used OWASP practice.

monolithed avatar Jun 20 '15 20:06 monolithed

Maybe, but if i add it now, it could bring a lot of breaking changes in existing apps and issues for all who use it like it is now

nolimits4web avatar Jun 20 '15 20:06 nolimits4web

Yep, you'd up the major version )

monolithed avatar Jun 20 '15 20:06 monolithed

But at the moment is not an option as it is heavily used in Framework7, where i will need to up a major version too then )

nolimits4web avatar Jun 20 '15 20:06 nolimits4web

Can we please have autoescaping turned on by a global option (so it doesn't break legacy code)? Something like:

Template7.setAutoEscaping(true);

It would also require to provide a way not to escape a value - Handlebars uses "triple-stash" {{{ ... }}} and Handlebars.SafeString() in helpers.

PetrToman avatar Mar 09 '19 07:03 PetrToman