Missing forward slash escape value in hamlcoffee.js.coffee.erb

[mrchess]

I noticed in vendor/assets/javascripts/hamlcoffee.js.coffee.erb

That there is no escape of forward slash. OWASP suggests you escape it per https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet (see RULE#1).

Is there a reason for this omission? If not, should it be added?

[netzpirat]

Wow, thanks for the link. The reason for the omission is that I didn't know about it, duh! It would be great to have it added.

[mrchess]

Nice!

[molily]

I don’t get why this is necessary. HAML doesn’t escape the slash either.

From the https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content

forward slash is included as it helps end an HTML entity

Well, that’s right, but a space for example also ends a broken HTML entity reference. “&quot ” works in most browsers, the same goes for numerical character references. So why isn’t space escaped?

[netzpirat]

Agree, the quote

forward slash is included as it helps end an HTML entity

is nonsense and the OWASP minimal encoding rules lists only < and & when escaping for HTML. Escaping / is only needed when the value is used within a script and the XSS Filter Evasion Cheat Sheet lists some examples.

Just tested Backbone and it also escapes the forward slash:

> new Backbone.Model({ test: 'hello/' }).escape('test')
"hello/"