[Flow] Fluid escaping interceptor not called when rendering view helpers with shorthand syntax
Helmut Hummel
helmut.hummel at typo3.org
Thu Jul 3 14:42:34 CEST 2014
Hi Bastian,
On 03.07.14 11:35, Bastian Waidelich wrote:
> I'm with you now. But I'm not sure what to do about it.
> The rule "as soon as you use a VH the automatic escaping is disabled"
> makes sense I think and changing the uri.* ViewHelpers to escape their
> result would also be confusing IMO.
To be clear: I was not talking about changing the behavior of uri.*
ViewHelpers only. That would indeed make no sense.
> Changing the behavior depending on the context could also be very
> misleading and difficult to comprehend[1].
Changing the behavior depending on the context would make much sense.[1]
But this might not be an easy task.
> I would suggest to communicate the current behavior *very clearly and
> visible* in the templating documentation[2] and promote ways to
> circumvent problems up front.
What should be part of such documentation:
==========================================================
Format HTML:
values of tag based vh -> are escaped
{obj.property} -> is escaped
{objWithToString} -> not escaped
{f:anyShippedVH} -> not escaped
{ns:myOwnVH} -> not escaped
<p style="color: {obj.color};" title="{obj.title}">;
{obj.color} -> wrong escaping
<script type="text/javascript">
var userName = {user.name};
</script>;
{user.name} -> wrong escaping
Format Json/XML/... :
No escaping
==========================================================
However as written before: from a user perspective all the above seems
too much to comprehend and hard to get right.
I'm not sure how to proceed here.
How can we improve the syntax in order to make it easier to write
correct and secure templates?
How can we improve the parsing to become context aware[1]?
Kind regards,
Helmut
[1]http://www.php-security.org/2010/05/05/mops-submission-02-context-aware-html-escaping/index.html
--
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 Core Developer, TYPO3 Security Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the Flow
mailing list