[Flow] Fluid escaping interceptor not called when rendering view helpers with shorthand syntax
Helmut Hummel
helmut.hummel at typo3.org
Thu Jul 3 17:38:52 CEST 2014
Hi!
On 03.07.14 15:09, Bastian Waidelich wrote:
> Helmut Hummel wrote:
>
>> Changing the behavior depending on the context would make much sense.
>
> Ok, let's just agree to disagree on that matter ;)
You disagree that context aware escaping in a templating engine[1] would
reduce the risk of introduction of security issues?
>> <p style="color: {obj.color};" title="{obj.title}">;
>>
>> {obj.color} -> wrong escaping
>
> Why would that be wrong?
This is one of the many HTML contexts where htmlspecialchars encoding is
not enough, since ";:" are not encoded, you can apply all styles you
want and you can do a lot with CSS3 nowadays ;)
>> <script type="text/javascript">
>> var userName = {user.name};
>> </script>;
>>
>> {user.name} -> wrong escaping
>
> I'm not trying to defend Fluid here, but I wouldn't call this "wrong"
> either, the variable would be "htmlspecialchared" which might be desired
> and could be avoided with {user.name -> f:format.raw()}
It (documenting implications and behavior) is not about if Fluid is good
or bad, but what it does when and what it does not.
> BTW: running a variable through a ViewHelper does not disable the
> escaping per se - only for the VH arguments.
> That means that the format.* ViewHelpers do not disable escaping for
> example.
>
> There are nasty exceptions though:
>
> {string -> f:format.crop(maxCharacters: 10)} // escaping active
> {f:format.crop(value: string, maxCharacters: 10)} // escaping inactive!
Wow. While I understand this from a technical point of view, from
(repeating myself) a user perspective this is impossible to grasp. At
least it is very likely to do wrong.
> This is consistent in the technical sense, but it is obviously very
> error-prone and I suggest to fix those rare cases by applying the
> escaping manually where applicable.
I don't have an overview what places exactly you mean, but more
consistency in that regard would be good.
Would be great if we could discuss these issues in person. When is the
next code sprint?
Kind regards,
Helmut
[1]http://googleonlinesecurity.blogspot.de/2009/03/reducing-xss-by-way-of-automatic.html
--
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 Core Developer, TYPO3 Security Team Member
TYPO3 .... inspiring people to share!
Get involved: typo3.org
More information about the Flow
mailing list