Skip to content

Mako's "default_filters"'s default value should protect against XSS #193

Closed
abourget opened this Issue May 24, 2011 · 3 comments

4 participants

@abourget

We should have Mako's "mako.default_filters" be set to 'h' by default in settings.. or at least documented ear the areas where we explain how to tie in Mako to Pyramid, and explain the implications (XSS attacks.. and why not a link to owasp: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) ). We could also note that we can reverse the process with ${something|n}.. when we explicitly want to render HTML and we trust the source.

It seems to be the default in Chameleon, but Mako templates are left behind :)

@mmerickel
Pylons Project member

Pylons does this using webhelpers.html.escape as the default filter in its configuration.

http://sluggo.scrapping.cc/python/WebHelpers/modules/html/builder.html

Is there a way we can do this without adding webhelpers as a dependency?

@virhilo
virhilo commented May 27, 2011

the 'h' filter as abourget says: http://www.makotemplates.org/docs/filtering.html#expression-filtering it using markupsafe.escape

@mmerickel
Pylons Project member

Ugh not sure why I went straight to the Pylons code for this... I just knew it did it in the paster templates.

@mmerickel mmerickel added a commit to mmerickel/pyramid that referenced this issue May 27, 2011
@mmerickel mmerickel Attempt to fix issue #193 by setting mako default filter to 'h'. 18b25a6
@mcdonc mcdonc closed this May 28, 2011
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.