html/template: merging escapers can lead to over-escaping #19352
Comments
|
Ok, let me try to explain this to myself. So it looks like you're probably right about the URL over-escaping. If the user were to have written I ask to see whether your proposal to reposition inserted filters at the end addresses the problem if the user also removes explicit escaping for context at the end. |
<a href={{ . | html | print 3 }}>would be rewritten into <a href={{ . | _html_template_urlfilter | _html_template_urlnormalizer | html | print 3 }}>since This seems to be the contextual auto-escaper working as intended: it sees the "a href" context, determines that the value in this context must be a HTML-encoded, escaped URL, and adds the correct sanitizers to guarantee that. If I understand correctly, if the user wants to add a URL-encoded HTML here, the user should wrap the HTML in the HTML typed string, so that the auto-escaper will only perform the URL filtering/escaping steps on it. |
Just to make sure we're on the same page, my latest recommendation is to ignore user-supplied escapers completely. I think it's best if we first remove them (i.e. user-supplied calls to I should probably write a formal proposal for this, just so I won't have to repost this across all the html/template bug threads. |
|
CL https://golang.org/cl/37880 mentions this issue. |
…ring rewriting Report an error if a predefined escaper (i.e. "html", "urlquery", or "js") is found in a pipeline that will be rewritten by the contextual auto-escaper, instead of trying to merge the escaper-inserted escaping directives with these predefined escapers. This merging behavior is a source of several security and correctness bugs (eee #19336, #19345, #19352, and #19353.) This merging logic was originally intended to ease migration of text/template templates with user-defined escapers to html/template. Now that migration is no longer an issue, this logic can be safely removed. NOTE: this is a backward-incompatible change that fixes known security bugs (see linked issues for more details). It will explicitly break users that attempt to execute templates with pipelines containing predefined escapers. Fixes #19336, #19345, #19352, #19353 Change-Id: I46b0ca8a2809d179c13c0d4f42b63126ed1c3b49 Reviewed-on: https://go-review.googlesource.com/37880 Run-TryBot: Russ Cox <rsc@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>
|
This is no longer an issue now that golang.org/cl/37880 has landed. |
version: go version devel +4cce27a3fa Sat Jan 21 03:20:55 2017 +0000 linux/amd64
env: linux amd64
The template
is rewritten into
after contextual auto-escaping. However,
is rewritten into
Since
_html_template_urlnormalizerandurlqueryare considered equivalent, this output of this pipeline will be over-escaped.This happens because of the html/template escaper's attempt to merge inserted escapers with user-supplied escapers, described in #19336. This merge algorithm assumes that the user-supplied escapers in the pipeline will appear in the same order that they do in the sequence of escapers-to-be-inserted (see the merge logic for the gory details).
The text was updated successfully, but these errors were encountered: