Consider Using Contextual Auto-Escaping #472
Comments
|
I don't quite understand what you mean by "contextual". In the sense that Twig automatically recognizes whether the output is done in JS or HTML? |
|
I really recommend reading the entire article I linked above. The basic philosophy is that dynamic input can never change the semantics of the template. For example if you have the following template |
|
@schmittjoh: I've just read the article you mentioned. It looks very clever but I doubt that it fits Twig. First, Twig is not limited to HTML templates. Then, I don't see how we can always be aware of the context as anytime you can include another template (with a dynamic name); so, depending on where the include is called, the context can be different and so the escaping rules can also be different. |
|
I haven't really looked at the implementation of Google Closure Templates, but I know that they also support includes and non HTML templates (here Twig's behavior would simply be the same as it is now). I can see that this escaping strategy can be very useful and solve some of the problems we had in the past when we discussed whether a certain filter/function should be marked as safe or not. It would also move some work from the developer to Twig and make templates more secure. Maybe, it makes sense to first try to implement this strategy in certain places where it is simple to implement, but the decision is yours. |
|
After thinking about it a bit more, that's something that we can do on top of the existing escaping mechanism (as an option). I've looked for more input and found the following interesting reads and references:
|
|
Implementation-wise this might give some good pointers: |
|
Context aware escaping has the Nette framework - the most popular and most used framework in the Czech Republic. Documentation: http://doc.nette.org/en/templating#toc-context-aware-escaping Parser: https://github.com/nette/nette/blob/master/Nette/Latte/Parser.php |
|
As of Twig 1.9.0, we now have escapers for css, js, html, url, and html attributes. This is a first step towards context-aware escaping. |
|
I'm the author of the first three links. My current project ( https://www.usenix.org/lets-parse-prevent-pwnage ) is trying to solve the "not limited to HTML templates" problem you mention. Is there any interest in that kind of approach in twig? |
|
@mikesamuel: Yes, we are indeed really interested in implementing what you describe as that would be a huge step forward for the built-in security mechanisms we want to promote in Twig. |
While it would be a cool feature, it is also impossible to apply automatic escaping in most cases. Advertising this as a out-of-the-box feature is problematic, as it probably mislead multiple developers that are using the tool without applying proper contextual escaping.
…ailable (Ocramius) This PR was submitted for the 2.7 branch but it was merged into the 2.3 branch instead (closes #5121). Discussion ---------- As per twigphp/Twig#472, automatic escaping is not yet available While it would be a cool feature, it is also impossible to apply automatic escaping in most cases. Advertising this as a out-of-the-box feature is problematic, as it probably mislead multiple developers that are using the tool without applying proper contextual escaping. Ref: twigphp/Twig#472 Commits ------- 94a8655 As per twigphp/Twig#472, automatic escaping is not yet available
|
Closing this old issue as nobody stepped up to work on it. |
Contextual auto-escaping often produces more intuitive escaping than simply turning auto-escaping on/off. This could be configured on a per-template basis via a compile-time directive.
see Google Closure Templates for more info:
http://code.google.com/closure/templates/docs/security.html
The text was updated successfully, but these errors were encountered: