[FLOW3-general] Security framework for escaping/ encoding output?

[Bastian Waidelich]

Andreas Förthner wrote:

Hi Andi & co,

>>> Thirdly, three of the four links Helmut posted were not about handling
>>> data which goes into the Persistent Framework, but about data which is
>>> sent back to the visitor.

> This is currently only implemented within Fluid.

Currenty, htmlspecialchars() is applied to everything that you output 
directly in a fluid template:

// in your controller (PHP):
$this->view->assign('name', '<script>// XSS</script>');

// in your template (Fluid)
{name}

// output
&gt;script&lt;// XSS&gt;&script&lt;

Additionally all tag based core ViewHelpers use the TagBuilder 
internally which escapes attributes and values by default.

Nevertheless the developer could create "insecure" output from within 
custom ViewHelpers and/or by using Fluid tags inside script tags.
I think, it would be quite hard to avoid the above automatically as it 
always depends on the context whether a string is insecure or not.
What I could imagine is some kind of ESAPI viewhelper that you could use 
something like this

{name -> f:security.esapiJavaScript()}

Bastian