Re: [htmltmpl] Suggestion on how to eliminate Cross-site-scripting (XSS) bugs for good.
Brought to you by:
samtregar
Menu
▾
▴
Re: [htmltmpl] Suggestion on how to eliminate Cross-site-scripting (XSS) bugs for good.
|
From: Mathew R. <mat...@ne...> - 2006-10-26 00:12:04
|
>> Having read the thread, I don't think that's enough for me. I want to still >> need to explicitly specify "ESCAPE=HTML" everywhere (without having a default >> escape), to have an exception raised on a non-escaped occurence, and to add >> an explicit unescaping (like "ESCAPE="0""). > > Let me see if I've got this straight: you want to force the template > writer to include "ESCAPE=something" in every TMPL_VAR, where > "something" can be "HTML", "URL", or a value indicating "no escapes" > (say, "TEXT"); failure to do so would cause a catchable error in your > script when you try to evaluate the template. Right? hmm... it doesn't sound right at all. Forcing the developer to remember to have to type ESCAPE=... for every TMPL_VAR is just not right. I personally forget to even use NAME=... and I just about never quote the value either due to laziness. The reality is that people are lazy/forgetful/efficient - the general idea in life is to make life easier, not harder. I'd suggest just to use the functionality as is. ie: set default_escape to whatever the default is; when no escape is necessary, then the developer will explicitly say so. >> So I guess I'm going to fire up my editor and write an HTML::Template >> sub-class. > > Probably. May I suggest a form for your subclass to take? Let > "default_escape" contain two additional values: "TEXT" (which means > the same as "0" above, and can also be used in 'ESCAPE=' to override > the default with no escaping), and "NONE" (which throws an exception > any time a TMPL_VAR lacks 'ESCAPE='). This will let you easily switch > to an appropriate default_escape value once transition to the new code > is complete. Please dont use "TEXT" to mean none - there is at least one filter that has been posted on this list which is for 'text' documents. ie: the filter is like the HTML filter, but also handles newlines & carriage returns, etc. How about "NONE" or "NO" or "0" to mean 'no escaping is necessary'. Also, "NONE" (as described above) should be "THROW" - the term is common in computer science, lets use it. Mathew |
