[Flow] Fluid escaping interceptor not called when rendering view helpers with shorthand syntax

Helmut Hummel helmut.hummel at typo3.org
Sat Jul 12 18:31:08 CEST 2014 

Hi Bastian,

On 11.07.14 18:05, Bastian Waidelich wrote:

> sorry for the late response ;)

No worries :)

> Maybe not that strict and universal but personally I doubt that putting
> in "more magic" makes Fluid safer.

I disagree :)

> Context aware escaping is definitely an interesting approach, but there
> will always be edge-cases

My point is to have *less* edge cases. The fewer edge cases there are 
the less likely it is to introduce security issues by writing Fluid 
templates.

> unless we build a HTML engine into Fluid ;)

Well, the only way to have context aware escaping is to introduce HTML 
parsing.

> One thing I could imagine is some kind of global modifier (global as in
> Per template file) to define the escaping behavior at the top of a
> template (similar to the {namespace...} tags).

I'm not sure if this would be an improvement unless such modifier is 
made *required*

The more you have to write to get the desired result, the more likely it 
is that things are forgotten. The whole idea of the escaping interceptor 
(and frankly speaking of the complete Flow framework) is to write less code.


> Apart from that we should try to communicate

Yes, we need to communicate potential issues. The less potential issues 
we have, the less we need to communicate ;)

 > ...that one should strive for *one* context per template.
 > If you look at the escaping contexts from that ctemplate engine, there
 > aren't too many different ones:
 > http://google-ctemplate.googlecode.com/svn/trunk/doc/auto_escape.html
 >
 > And most of them are considered bad practice (like inline styles and
 > scripts),

Hm, OK. The remaining ones are URLs (leading to the initial starter of 
the discussion being the uri vh).

I think we can agree that this should be the first goal. Strive for 
consistency with one context per template.

 > so hopefully the situation improves naturally.

Might be, not sure about that though...

 > Hopefully more and more people avoid these inline context-switches
 > is maybe slightly more work at first, but it quickly pays off.

... because people are often lazy ;)


 > Absolutely, and in this case it's certainly a bug in the crop VH

OK.

 > I agree, and for a VH-author it's pretty straight-forward luckily:
 >
 > * Arguments are not intercepted (= escaped)
 > * The result of renderChildren() is by default escaped, but this can be
 > disabled by setting $escapingInterceptorEnabled = FALSE;
 > * The result of the render() method is not intercepted
 >
 > That has two consequences for the developer:
 >
 > 1) If you want to access the un-altered child nodes, set the
 > escapingInterceptorEnabled flag to FALSE
 > 2) Make sure the result of your VH is safe

OK. We should add this to the documentation then

 > In the case of the crop-VH we violated both

OK ;)


 > I'll go through the Fluid ViewHelpers next week and fix those
 > inconsistencies. And if I get around it, I can maybe improve the
 > templating section of the flow documentation to emphasize the
 > pitfalls.

Sounds great!

 > Yeah! Maybe we can organize an online meeting sometimes?

Maybe we can get to this topic during the next tech conference call next 
Tuesday.

Kind regards,
Helmut

-- 
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 Core Developer, TYPO3 Security Team Member

TYPO3 .... inspiring people to share!
Get involved: typo3.org
Kind regards,
Helmut

-- 
Helmut Hummel
Release Manager TYPO3 6.0
TYPO3 Core Developer, TYPO3 Security Team Member

TYPO3 .... inspiring people to share!
Get involved: typo3.org

More information about the Flow mailing list