New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Left curly brackets get separated by HTML comments #111
Comments
Please see https://github.com/OWASP/java-html-sanitizer/blob/master/docs/client-side-templates.md Working as intended. |
Thanks! |
So is there a way to disable this? We need to sanitize HTML code which can contain Handlebars placeholders within the HTML body text (not inside tags) and the sanitizer is breaking those. |
If that's working as expected then it's just unsuitable to sanitise most of HTML templates like mustache |
Can you validate the HTML after the template renders it?
- Jim
…On 12/19/17 6:55 PM, Anton Malyshev wrote:
If that's working as expected then it's just unsuitable to sanitise
most of HTML templates like moustache
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#111 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAgcCRo41lnwY-Gv8cUKQfiC6cp5M7Ntks5tB6RFgaJpZM4M7Fea>.
|
Actually I have to validate templates before storing them and then I reuse them many times without validation. |
So have you considered doing your HTML sanitization in the browser after template rendering? Check out DOMPurify for that use case.
… On Dec 19, 2017, at 10:09 PM, Anton Malyshev ***@***.***> wrote:
Actually I have to validate templates before storing them and then I reuse them many times without validation.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
No, there is no way to turn off If you want to use untrusted handlebars templates you're going to need to use a sanitizer that understands the idiosyncrasies of handlebars. This sanitizer does not and would not do a good job even if there were a knob to allow <a href="{{x}}">link</a> leads to XSS when {{{x}}} leads to XSS when |
Exactly. But the inability to disable brace mangling prevents using the HTML sanitizer as part of such a solution. You're saying we need to write a separate HTML+CSS sanitizer for that purpose. In our case the perfect solution would be to perform HTML sanitization without brace mangling, and then ensure that there are no instances of As a workaround, we're now replacing Having the brace mangling enabled by default is a good thing, but it should be configurable like other aspects of the sanitation. |
Hi,
when I sanitize HTML code that includes multiple left curly brackets in a row, like
{{{
then they get converted to
{<!-- -->{<!-- -->{
.First question: Why is that? ^^
Second question: Can I disable this behavior? If yes, how?
The problem is, that I want to sanitize Handlebars templates, and I need to keep the Handlebars expressions which look like this:
{{ expression }}
Here a minimal code example that describes the issue:
Best regards,
Norman
The text was updated successfully, but these errors were encountered: