Skip to content

Erlydtl does not escape fragments #80

Closed
AeroNotix opened this Issue Jun 25, 2013 · 5 comments

3 participants

@AeroNotix

Hi,

Django templates will automatically escape HTML and Javascript fragments to minimize the risk of XSS attacks. Erlydtl doesn't seem to do it out of the box.

I have an example Erlydtl project to better describe the issue: https://github.com/AeroNotix/erlydtl_xss_vector

Aaron

@evanmiller

I'm a little hesitant to change the behavior at this point given the large install base. However, I would accept an autoescape render-time option that defaults to false.

@kaos
ErlyDTL member
kaos commented Nov 28, 2013

Couldn't it be both a render-time as well as a compile-time option?
That way you could compile your templates the way you want, and don't have to bother with passing that option on each render invocation..

@kaos kaos was assigned Jan 18, 2014
@kaos
ErlyDTL member
kaos commented Jan 18, 2014

It was so easy to add this as a compile time option, I won't even attempt to add a render time option for it, unless there turns out to be a demand for that.

@kaos kaos added a commit that closed this issue Jan 19, 2014
@kaos kaos Add auto_escape option.
In order to be Django compatible, the `auto_escape` option should be
used when compiling the template.

Fixes #80.
3462bd2
@kaos kaos closed this in 3462bd2 Jan 19, 2014
@AeroNotix

I'd prefer to see the breaking change introduced.

Saying erlydtl is compatible with Django templates and then not complying with basic security features seems backwards. Imagine all the people that just plug n play their templates in and open themselves up to XSS attacks.

@kaos
ErlyDTL member
kaos commented Jan 19, 2014

Thank you, and valid point too.

Also, as the change needed for those who would need the old behaviour is easy (i.e. pass {auto_escape, false} as compile option), I'll consider making this change. I would prefer to hear from a few more users, though.

@kaos kaos added a commit that referenced this issue Feb 17, 2014
@kaos kaos Autoescape on by default (Close #120, see #80)
This to be Django compatible. Pass `{auto_escape, false}` as compile
option when compiling the template to disable auto escaping.
d840d7d
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.