This repository has been archived by the owner on Jul 13, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 9
/
README.html
115 lines (98 loc) · 3.26 KB
/
README.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
<!doctype html>
<html>
<head>
<meta encoding="utf-8">
<title>Py HTML Contextual Autoescaping</title>
<script src="https://google-code-prettify.googlecode.com/svn/loader/run_prettify.js"></script>
</head>
<body>
<h1>A contextual autoescaper for HTML</h1>
<h2>Runtime auto-escaping</h2>
<p>If analysis can't be done when a template is compiled,
this module provides a file-like object that provides two methods:</p>
<pre class="prettyprint">
write_safe(**strings) # Called with strings that appear in template
write(**values) # Called with values supplied by caller at runtime
</pre>
<p>so that the sequence of calls generated by a template</p>
<pre class="prettyprint">
<b><i>{{ x }}</i></b>
<button onclick=foo(<i>{{ y }}</i>)>
</pre>
produce
<pre class="prettyprint">
w.write_safe('<b>')
w.write('I <3 Ponies!')
w.write_safe('</b>\n<button onclick=foo(')
w.write({'foo': 'bar', '"baz"': 42})
w.write_safe(')>')
</pre>
<p>results in the output</p>
<pre class="prettyprint">
<b>I &lt;3 Ponies!</b>
<button onclick="foo({&#34;foo&#34;:&#34;\x22bar\x22&#34;:42})">
</pre>
<p>
The safe parts are treated as literal chunks of HTML/CSS/JS, and the unsafe
parts are escaped to preserve security and least-surprise.
For a more comprehensive example, a template like
</p>
<pre class="prettyprint">
<div style="color: {{user.color}}">
<a href="/{{user.color}}?q={{$user.world}}"
onclick="alert('{{helper(user)}}');return false">
{{helper(user)}}
</a>
<script>(function () { // Sleepy developers put sensitive info in comments.
var o = {{user}},
w = "{{user.world}}";
})();</script>
</div>
{{template helper}}
Hello, {{user.world}}
{{/template}}
</pre>
<p>might correspond to the sequence of calls</p>
<pre class="prettyprint">
# Dummy input values.
user = {
"world": "<Cincinatti>",
"color": "blue"
}
color = user["color"]
world = user["world"]
# Alternating safe and unsafe writes that implement the template.
w.write_safe("<div style=\"color: ")
w.write (color)
w.write_safe("\">\n<a href=\"/")
w.write (color)
w.write_safe("?q=")
w.write (world)
w.write_safe("\"\n onclick=\"alert('")
helper (w, user)
w.write_safe("');return false\">\n ")
helper (w, user) # Helper called in a different context
w.write_safe("\n </a>\n <script>(function () {\n var o = ")
w.write (user)
w.write_safe(",\n w = \"")
w.write (world)
w.write_safe("\";\n })();</script>\n</div>")
</pre>
<p>which result in the output</p>
<pre class="prettyprint">
<div style="color: blue">
<a href="/blue?q=%3cCincinatti%3e"
onclick="alert('Hello, \x3cCincinatti\x3e!');return false">
Hello, <Cincinatti>!
</a>
<script>(function () {
var o = {"Color":"blue","World":"\u003cCincinatti\u003e"},
w = "\x26lt;Cincinatti\x26gt;";
})();</script>
</div>
</pre>
<h2>Static auto-escaping</h2>
<p>If a template system's call-graph is readily statically analyzable, the
<tt>escape</tt> module can be used to propagate context and pick an
escaper for each interpolation of an untrusted value into the template output.
</html>