On 03/30/2014 02:23 AM, Nuria Ruiz wrote:
What I am saying is that the parsing and escaping
scheme we need is much
simpler if you disallow the use case of passing the template engine
something that is not data.
Let me explain as this as it has to do more with correctness that with
security per se:
A template engine objective is to separate data from markup. In your
example you are passing the template 'class="anything"' or
'onclick="something"' neither "class" nor "onclick"
are data.
The example might not have been the most helpful one. Consider a handlebars
template like this:
<a href="{{url}}">{{title}}</a>
Even with double-stashes you'll be in trouble if your url data happens to be
'javascript:alert(cookie)'. For this you need special and ideally automatic
sanitization for href attributes (and src & style), which is what
KnockOff/TAssembly provides.
Gabriel