[Neos] FYI: Summary of todays "Technical Meeting"
Bastian Waidelich
bastian at typo3.org
Tue Jul 22 17:06:23 CEST 2014
Hello list,
here's the summary of todays quick technical meeting (see
http://wiki.typo3.org/TYPO3_Neos-DiscussionMeetings):
Participants: Karsten Dambekalns, Jacob Floyd, Helmut Hummel, Marc
Neuhaus, Christian Müller, Bastian Waidelich
== Possible Fluid security improvements ==
* Initiator(s): Helmut Hummel
=== Background: ===
The default escaping interceptor has limitations deserves some
additional observation.
See discussion: http://forum.typo3.org/index.php/t/204660/
Related changes: https://review.typo3.org/31312
https://review.typo3.org/24551
Regarding context aware escaping see:
http://googleonlinesecurity.blogspot.de/2009/03/reducing-xss-by-way-of-automatic.html
Nette Framework has implemented that:
http://doc.nette.org/en/2.1/templating#toc-context-aware-escaping
=== Possible discussions: ===
* Besides probably being complex to implement, is context aware escaping
really not desired?
* What options besides determine context do we have to make writing
Fluid templates less error prone?
=== CONCLUSIONS ===
We agreed that "context aware escaping" is an interesting topic but not
a viable solution for the short-term because of the way the Fluid parser
works.
We identified two major issues with the escaping behavior:
1) The behavior is not properly documented (escaping interceptors, best
practices, security advisories, ...)
2) The provided (format) ViewHelpers don't behave consistently
We agreed that these issues need to be addressed and we also came up
with the suggestion to enable escaping interceptors *by default* - This
is currently only the case if the requested format is HTML.
To make it easier to adapt (non-HTML) templates to the previous behavior
we'd need a new modifier that allows for disabling the escape
interceptors globally for a template file.
See https://jira.typo3.org/browse/FLOW-26 for details
--
Bastian Waidelich
More information about the Neos
mailing list