-
-
Notifications
You must be signed in to change notification settings - Fork 234
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Latte: apply modifier safeUrl automatically to attribute href #1302
Conversation
@@ -343,6 +344,8 @@ private function processHtmlAttribute(Token $token) | |||
$context = self::CONTENT_JS; | |||
} elseif ($token->name === 'style') { | |||
$context = self::CONTENT_CSS; | |||
} elseif ($token->name === 'href') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What about src
?
Is there a way to turn it off? |
yes, with |nosafeurl |
This: <a href=https://example.com/?id={$id}></a> produces: <a href=https://example.com/?id="123"></a> |
Plus I think variant without protocol should be considered valid as well, it's a standard way on sites using both SSL and non-SSL variant. |
I am in. Pros10x security ConsRelative URLs like
What about It is hard to list or distinct between safe/unsafe protocols :( |
What about |
Why would you pass html as a value of href/src? But I am thinking about Http\Url. |
I added |nosafeurl modifier. It works without protocol, or not? Ad it produces |
You may also include the following attributes for safeURL: xlink:href Regards, ashar |
I was speaking about href attributes in Html objects, how they should act? |
…ction & formaction
Well, it has nothing to do with Latte so I guess it should stay untouched by this. |
Latte: apply modifier safeUrl automatically to attribute href, src, action & formaction
@dg @milo Good to see that now you have added action, formaction attributes for "safeURL" stuff! It would be great if you will also add the following: (attributes along with related XSS vector)
I hope it helps! Regards, ashar |
I added support for |
|safeurl modifier is automatically added to template <a href="$url">... nette/nette#1302 so editor:// links didnt get generated, needs to be overridden by using |nosafeurl modifier more info(cs): http://phpfashion.com/prejdete-na-nette-2-1
|safeurl modifier is automatically added to template <a href="$url">... nette/nette#1302 so editor:// links didnt get generated, needs to be overridden by using |nosafeurl modifier more info(cs): http://phpfashion.com/prejdete-na-nette-2-1
Yes, this is not about escaping, this is sanitization. In fact, escapeXML() provides some kind of sanitization too. Pros and cons?