shakespeare-js does not escape #{...} interpolated strings

[joeyadams]

I wrote a simple "hello world" style program for shakespeare-js:

{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE QuasiQuotes #-}

import Data.Text    (Text)
import Text.Julius

import qualified Data.Text.Lazy.IO as TLIO

shouldBeEscaped :: Text
shouldBeEscaped = "\" + alert('XSS') + \""

foo :: JavascriptUrl url
foo = [js|
    var s = "#{shouldBeEscaped}";
|]

main :: IO ()
main = TLIO.putStrLn $ renderJavascriptUrl (\_ _ -> undefined) foo

It turns out that no string escaping happens at all! This is what the program outputs:

var s = "" + alert('XSS') + "";

Is this a bug, or does shakespeare-js not automatically escape interpolated strings? I'm guessing the latter, based on this sentence buried in the Shakespearean Templates documentation:

Julius allows the three forms of interpolation we've mentioned so far, and otherwise applies no transformations to your content.

This might be intended behavior, but it is extremely worrisome:

• The documentation doesn't make it obvious that no escaping is done. Rather, it suggests the opposite, by vaunting principles of type safety and well-formed content.
• It is inconsistent with Hamlet's #{...} syntax, which does perform the appropriate escaping.
• What if a future version of shakespeare-js does perform escaping of some sort? That would silently break any programs that do their own escaping.

[meteficha]

It looks like a bug for me.

[snoyberg]

This is the intended behavior. Whether we should change it, or how we should document it, are good questions. Can you raise them on the mailing list?

[gregwebs]

I also think this behavior is problematic. We should be documenting how to avoid any hassles from automatic safety, not how to make things safe.

[snoyberg]

This is far from a simple matter, which is why I closed the issue in favor of discussing it on the mailing list. The presumption underlying it is that Julius interpolation is fixated on values which will be included in JS string literals. I'm not convinced that this is what people are expecting: it may be quite disconcerting for a user to try and interpolate some JS code and have to escaped as if it were appearing inside of string.

[gregwebs]

Yeah, so from a security standpoint it matters little whether it will be a string literal or something else. To be secure we shouldn't allow any code whatsoever, only JS values.
This is plausible: if someone wants to insert JS code, they can insert a widget.
It would also be a major change: instead of ToJavascript we would probably need to use ToJSON.

[snoyberg]

So should we only interpolate Data.Aeson.Value values? When we
interpolate a Text, should it have quotes automatically added? Should we
apply entity escaping as well to properly avoid XSS attacks? There are a
lot of questions, and I think this is anything but obvious. That's why I'd
rather close the issue and discuss it on the list.

[gregwebs]

@joeyadams do you want to ask this on the mail list?