Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mako's "default_filters"'s default value should protect against XSS #193

Closed
abourget opened this issue May 24, 2011 · 13 comments

Comments

Projects
None yet
8 participants
@abourget
Copy link
Contributor

commented May 24, 2011

We should have Mako's "mako.default_filters" be set to 'h' by default in settings.. or at least documented ear the areas where we explain how to tie in Mako to Pyramid, and explain the implications (XSS attacks.. and why not a link to owasp: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) ). We could also note that we can reverse the process with ${something|n}.. when we explicitly want to render HTML and we trust the source.

It seems to be the default in Chameleon, but Mako templates are left behind :)

@mmerickel

This comment has been minimized.

Copy link
Member

commented May 26, 2011

Pylons does this using webhelpers.html.escape as the default filter in its configuration.

http://sluggo.scrapping.cc/python/WebHelpers/modules/html/builder.html

Is there a way we can do this without adding webhelpers as a dependency?

@virhilo

This comment has been minimized.

Copy link
Contributor

commented May 27, 2011

the 'h' filter as abourget says: http://www.makotemplates.org/docs/filtering.html#expression-filtering it using markupsafe.escape

@mmerickel

This comment has been minimized.

Copy link
Member

commented May 27, 2011

Ugh not sure why I went straight to the Pylons code for this... I just knew it did it in the paster templates.

mmerickel added a commit to mmerickel/pyramid that referenced this issue May 27, 2011

mcdonc added a commit that referenced this issue May 28, 2011

Merge pull request #197 from mmerickel/mako_defaults
Attempt to fix issue #193 by setting mako default filter to 'h'.

@mcdonc mcdonc closed this May 28, 2011

@marcinkuzminski

This comment has been minimized.

Copy link
Member

commented Jul 24, 2017

Just a note on this issue.

During porting of code we noticed that None from pylons is not converted to empty string in Pyramid. This is small difference between default filters in pylons vs pyramid ones. In pylons the default escape filters also converted None to empty string

Maybe it will help someone in future to avoid problems

@mmerickel

This comment has been minimized.

Copy link
Member

commented Jul 24, 2017

@marcinkuzminski The best exposure for this is probably in the pylons part of the pyramid cookbook.

@marcinkuzminski

This comment has been minimized.

Copy link
Member

commented Jul 24, 2017

Good idea, if we find time we'll contribute our filter used now for backport:

import markupsafe

def h_filter(s):
    """
    Custom filter for Mako templates. Mako by standard uses `markupsafe.escape`
    we wrap this with additional functionality that converts None to empty
    strings
    """
    if s is None:
        return markupsafe.Markup()
    return markupsafe.escape(s)
@stevepiercy

This comment has been minimized.

Copy link
Member

commented Jul 24, 2017

@mmerickel

This comment has been minimized.

Copy link
Member

commented Jul 24, 2017

Good catch. It looks like the right solution @stevepiercy. @marcinkuzminski does escape_silent work for you?

@marcinkuzminski

This comment has been minimized.

Copy link
Member

commented Jul 24, 2017

@stevepiercy ohh, i missed that. It's exactly the thing we have been looking for. Somehow i couldn't find it easily.

@mmerickel escape_silent is exactly what our function does.

@stevepiercy

This comment has been minimized.

Copy link
Member

commented Jul 24, 2017

@marcinkuzminski where were you looking? I can add a sentence and link as I suggested above, as well as any other place that Pylons-to-Pyramid developers might be looking.

@marcinkuzminski

This comment has been minimized.

Copy link
Member

commented Jul 24, 2017

@stevepiercy mostly google, i totally forgot about the cookbook probably now i'd search there first.

@apnewberry

This comment has been minimized.

Copy link

commented Jan 4, 2019

I'm looking at Mako for the first time, and noticed that the security-oriented linter Bandit warns about use of Mako. Is this warning still true or should the warning be removed on Bandit?

Unlike Jinja2 (an
alternative templating system), Mako has no environment wide variable escaping
mechanism. Because of this, all input variables must be carefully escaped
before use to prevent possible vulnerabilities to Cross Site Scripting (XSS)
attacks.
:Example:
.. code-block:: none
    >> Issue: Mako templates allow HTML/JS rendering by default and are
    inherently open to XSS attacks. Ensure variables in all templates are
    properly sanitized via the 'n', 'h' or 'x' flags (depending on context).
    For example, to HTML escape the variable 'data' do ${ data |h }.
       Severity: Medium   Confidence: High
       Location: ./examples/mako_templating.py:10
    9
    10  mako.template.Template("hern")
    11  template.Template("hern")

https://github.com/PyCQA/bandit/blob/02bad2e42311f420aef52dcd9806d66516ef594d/bandit/plugins/mako_templates.py#L72

@bertjwregeer

This comment has been minimized.

Copy link
Member

commented Jan 4, 2019

Mako is not shipped with pyramid anymore, nor does pyramid have a "default" rendering engine. pyramid_mako exists for those that want to use mako templates with Pyramid.

That being said, it is entirely possible that you are using mako templating insecurely, that is not something that we can conclusively say anything about.

Mako however DOES support default filters, see https://docs.makotemplates.org/en/latest/filtering.html#the-default-filters-argument. Can you use Mako insecurely, yes, can you use it securely, also yes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.