Escaping of html attributes
Generates text that depends on changing data (like dynamic HTML).
Brought to you by:
revusky
In https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes they clearly define the need for different kinds of escaping in (different kinds of) attributes. It would be nice if the (exhaustive) OWASP escaping list of methods are available in FreeMarker. AFAICT only html, js and url escaping are available.
I will read that through as time allows. But if you can tell concrete issues that helps. Like, assuming you set incompatible_improvements to 2.3.20, so that apostrophe-quote is escaped, are you aware of any trick to break out of
myAttr='${value?html}'
ormyAttr="${value?html}"
?Last edit: Dániel Dékány 2014-06-30
I saw the options you provided in the docs.
No, I am not aware of being able to break out of a quote. Quoting :-) : 'Properly quoted attributes can only be escaped with the corresponding quote.'.
Last edit: Dave 2014-07-01
The template author is supposed to quote attribute values. If he doesn't because he forgets to or doesn't know that he should to, then surely he wont use some kind of special escaping (
?attr_n_q
or something) that allows unquoted attribute values... So that's basically my problem with overly specialized escapings. Almost nobody will understand them (heck, half of the developers don't even understand?html
), not to mention remembering and using them.