Bug in URI ?!

Aaron Trevena aaron.trevena at gmail.com
Wed Aug 16 14:27:33 BST 2006

On 16/08/06, Dominic Mitchell <dom at happygiraffe.net> wrote:
> > Exactly - what's wrong with [% value | html %] ?
> >
> > Works for me
> It works, but you're an expert web programmer with years of experience.
> You know to put it there.

Why, Thank You ;)

It's there by default in several maypole templates, but..

> And I bet that were I to look at some of your source code to a web site,
> you'll have missed at least one.  And that's quite likely to be a cross
> site scripting security hole waiting to happen.

..but even in webpages, not everything has to be html escaped - you
could have HTML generated from outside the template.

I've worked with a templating system that did just that (HTML escaped
everything) - it sucked, and working with something that parses and
munges HTML was equally awful.

Unless the code can filter in a smart enough way to DTRT in at least
99% of cases (which is pretty much inacheivable) you've got a bigger
problem that you started with. You don't want url's and links or
javascript being escaped, and URI's should be escaped in a different
manner anyway.

Not only that but actually a fair amount of data I template isn't HTML
at all, it's Javascript, CSS, JSON and XML, and I frequently use TT
for things like generating XML, SQL, Configuration, etc in a non-web

> Why are you opposed to making the tools work according to spec?

TT is a general purpose templating system, it provides a way to HTML
escape easily, and escaping URIs is also possible trivially.

Like I said, it works for me - I'd sooner spend the time designing the
security (with explicit rules about what goes in, rather than hoping
to catch XSS on the way out) properly.



More information about the london.pm mailing list