Bug in URI ?!

Dominic Mitchell dom at happygiraffe.net
Wed Aug 16 22:10:26 BST 2006

Aaron Trevena wrote:
> On 16/08/06, Dominic Mitchell <dom at happygiraffe.net> wrote:
>> > Exactly - what's wrong with [% value | html %] ?
>> >
>> > Works for me
>> It works, but you're an expert web programmer with years of experience.
>> You know to put it there.
> Why, Thank You ;)
> It's there by default in several maypole templates, but..

Excellent -- providing hints that it should be there is a great start.

>> And I bet that were I to look at some of your source code to a web site,
>> you'll have missed at least one.  And that's quite likely to be a cross
>> site scripting security hole waiting to happen.
> ..but even in webpages, not everything has to be html escaped - you
> could have HTML generated from outside the template.
> I've worked with a templating system that did just that (HTML escaped
> everything) - it sucked, and working with something that parses and
> munges HTML was equally awful.
> Unless the code can filter in a smart enough way to DTRT in at least
> 99% of cases (which is pretty much inacheivable) you've got a bigger
> problem that you started with. You don't want url's and links or
> javascript being escaped, and URI's should be escaped in a different
> manner anyway.

No, you just need a simple way to turn it on and off.  I fully agree 
that HTML escaping *everything* by default is a very bad idea indeed. 
But it makes sense when you're templating web pages, that output should 
be escaped by default.

For instance, in Mason, I do this:[1]

   $foo = "<b>fred</b>";

   <% $foo %>

to get "&lt;b&gt;fred&lt;b&gt;".  But to get the real bolded fred I do:

   <% $foo |n %>

All it means is that the defaults are switched.  And it becomes very 
obvious quickly when you look at the output where you need to turn off 
the escaping.  Unlike the reverse situation, where it's rarely obvious 
that you need to html-escape something until you find that somebody's 
doing cross-site-scripting on your site.

> Not only that but actually a fair amount of data I template isn't HTML
> at all, it's Javascript, CSS, JSON and XML, and I frequently use TT
> for things like generating XML, SQL, Configuration, etc in a non-web
> environment.
>> Why are you opposed to making the tools work according to spec?
> TT is a general purpose templating system, it provides a way to HTML
> escape easily, and escaping URIs is also possible trivially.

Yep, TT is very general indeed.  This sort of behaviour is quite likely 
inappropriate as a default for it.  But, it should also be easily enabled.

> Like I said, it works for me - I'd sooner spend the time designing the
> security (with explicit rules about what goes in, rather than hoping
> to catch XSS on the way out) properly.

I absolutely concur.  Designing for security up front is completely the 
way to go.  But it still seems to me that you could get a big win for a 
relatively small cost by switching the defaults to escape HTML when 
you're actually generating HTML.


[1] You have to configure this behaviour though.  See 

More information about the london.pm mailing list