Bug in URI ?!

[Aaron Trevena]

On 16/08/06, Dominic Mitchell <dom at happygiraffe.net> wrote:
> > Exactly - what's wrong with [% value | html %] ?
> >
> > Works for me
>
> It works, but you're an expert web programmer with years of experience.
> You know to put it there.

Why, Thank You ;)

It's there by default in several maypole templates, but..

> And I bet that were I to look at some of your source code to a web site,
> you'll have missed at least one.  And that's quite likely to be a cross
> site scripting security hole waiting to happen.

..but even in webpages, not everything has to be html escaped - you
could have HTML generated from outside the template.

I've worked with a templating system that did just that (HTML escaped
everything) - it sucked, and working with something that parses and
munges HTML was equally awful.

Unless the code can filter in a smart enough way to DTRT in at least
99% of cases (which is pretty much inacheivable) you've got a bigger
problem that you started with. You don't want url's and links or
javascript being escaped, and URI's should be escaped in a different
manner anyway.

Not only that but actually a fair amount of data I template isn't HTML
at all, it's Javascript, CSS, JSON and XML, and I frequently use TT
for things like generating XML, SQL, Configuration, etc in a non-web
environment.

> Why are you opposed to making the tools work according to spec?

TT is a general purpose templating system, it provides a way to HTML
escape easily, and escaping URIs is also possible trivially.

Like I said, it works for me - I'd sooner spend the time designing the
security (with explicit rules about what goes in, rather than hoping
to catch XSS on the way out) properly.

Cheers,

A.