Bug in URI ?!
aaron.trevena at gmail.com
Wed Aug 16 14:27:33 BST 2006
On 16/08/06, Dominic Mitchell <dom at happygiraffe.net> wrote:
> > Exactly - what's wrong with [% value | html %] ?
> > Works for me
> It works, but you're an expert web programmer with years of experience.
> You know to put it there.
Why, Thank You ;)
It's there by default in several maypole templates, but..
> And I bet that were I to look at some of your source code to a web site,
> you'll have missed at least one. And that's quite likely to be a cross
> site scripting security hole waiting to happen.
..but even in webpages, not everything has to be html escaped - you
could have HTML generated from outside the template.
I've worked with a templating system that did just that (HTML escaped
everything) - it sucked, and working with something that parses and
munges HTML was equally awful.
Unless the code can filter in a smart enough way to DTRT in at least
99% of cases (which is pretty much inacheivable) you've got a bigger
problem that you started with. You don't want url's and links or
Not only that but actually a fair amount of data I template isn't HTML
for things like generating XML, SQL, Configuration, etc in a non-web
> Why are you opposed to making the tools work according to spec?
TT is a general purpose templating system, it provides a way to HTML
escape easily, and escaping URIs is also possible trivially.
Like I said, it works for me - I'd sooner spend the time designing the
security (with explicit rules about what goes in, rather than hoping
to catch XSS on the way out) properly.
More information about the london.pm