-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add ", ', and ` to the list of chars that need HTML escaping. #68
Conversation
Previously, only < and > were escaped. This meant that any Handlebars template that used user input in an HTML attribute value was wide open to a trivial XSS exploit. Note that unquoted attribute values are still open to attack, but this set of characters at least brings Handlebars in line with other Mustache implementations and other template languages. See the OWASP XSS prevention cheat sheet (rule handlebars-lang#1) for the rationale behind escaping these characters: https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
Is there a problem with this patch? I'd be happy to make any changes necessary to land it. In case my description wasn't clear, the current set of escaped characters allows an easy XSS via HTML attribute values. If we use a context object like this one that contains some malicious user input...
...to render this seemingly harmless template...
...then the attacker's JavaScript is executed and he has the cookies of any user who mouses over that link, because Handlebars doesn't currently escape content properly for use in attribute values. Since other Mustache implementations commonly escape at least |
I support escaping " and ', but why '/'? And for that matter, why bother escaping '>'? -- it's not a reserved character in HTML. If people are using handlebars and not quoting their attributes, you actually need to escape all of these: If attributes are escaped, then all you need is '<','&', and the two quote characters. |
I wrote that blog post, and I think you may not have understood the message, which is that there's no single way to escape input so that it can be used safely everywhere. I think it's reasonable to make things safe for use only in quoted attributes, as long as we document that unquoted attributes are unsafe. It's not feasible to provide a perfect default escaping mechanism for all possible uses, but the minimum bar should be to escape content safely for use in element bodies and quoted attribute values. The rationale for escaping It is necessary to escape |
Conflicts: lib/handlebars/utils.js
It's probably fine not to escape /, since its only danger is in ending entities (like &/). This isn't a problem for us, since the badChars regex won't allow it and the & will get escaped. It turns out ` can be used to quote attribute values in IE, so it needs to be escaped along with " and '.
That's certainly the message I got (excellent post! -- how often have you been quoted at yourself? :-). My point wasn't that we actually should escape all those things, but that operating under a attributes-are-wrapped-in-quotes, is a reasonable line, which is a simple message to communicate ("wrap all attributes in quotes to avoid XSS") and escapes content for those situations. Anyway I hope they take your pull request. |
I filed this pull request a month ago, and have yet to receive a response from a Handlebars maintainer. In the meantime, there have been several Handlebars 1.0.0 beta releases, and I see that the Sproutcore 2.0 developer preview (including a version of Handlebars with this XSS issue) has now been announced. I'm surprised at this, given the potential security issue for anyone who uses Handlebars or Sproutcore. Should I take this as an indication that this fix isn't wanted? Or is it just not wanted yet? Have my descriptions of why this issue is important not been clear? If there's anything I can do to clarify the explanation of the problem, or to improve the implementation of the fix, please tell me. I don't want to see Handlebars 1.0.0 or Sproutcore 2.0 go out with a known security vulnerability that could have been prevented. |
Add ", ', and ` to the list of chars that need HTML escaping.
Yay! |
Previously, only
<
and>
were escaped. This meant that any Handlebarstemplate that used user input in an HTML attribute value was wide open
to a trivial XSS exploit. Note that unquoted attribute values are still
open to attack, but this set of characters at least brings Handlebars in
line with other Mustache implementations and other template languages.
See the OWASP XSS prevention cheat sheet (rule #1) for the rationale
behind escaping these characters:
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet