You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Escaping is intentionally not contextual. As the security section states the only supported automatic escaping is HTML-based (link). This means that any use of this template that interpolates user-controlled data in a different context is vulnerable to XSS.
Here is one example:
<img onclick="{{interpolating action}}">
If the interpolating action outputs something like "javascript:alert(1)" the code will be executed.
Please add a section to the security paragraph of the README documenting that quicktemplate is not secure to use. As far as in understand this package only supports manual escaping, and only for specific kinds of escaping, and this leads to vulnerable templates.
As an alternative, implement contextual autoescaping. As a reference for autoescaping and documentation on how it works you can take a look at the standard library security model: https://pkg.go.dev/html/template#hdr-Security_Model. Disclaimer: this is not easy to do and I think it is beyond the scope of this package.
Please let me know if you need any assistance or explanation about the threats and potential dangers of using this library as it is today, I'd be happy to help :)
The text was updated successfully, but these errors were encountered:
empijei
changed the title
Security: Document that templates are vulnerable to XSS
Security: templates are vulnerable to XSS
May 10, 2022
Escaping is intentionally not contextual. As the security section states the only supported automatic escaping is HTML-based (link). This means that any use of this template that interpolates user-controlled data in a different context is vulnerable to XSS.
Here is one example:
If the interpolating action outputs something like "javascript:alert(1)" the code will be executed.
Please add a section to the security paragraph of the README documenting that quicktemplate is not secure to use. As far as in understand this package only supports manual escaping, and only for specific kinds of escaping, and this leads to vulnerable templates.
As an alternative, implement contextual autoescaping. As a reference for autoescaping and documentation on how it works you can take a look at the standard library security model: https://pkg.go.dev/html/template#hdr-Security_Model. Disclaimer: this is not easy to do and I think it is beyond the scope of this package.
Please let me know if you need any assistance or explanation about the threats and potential dangers of using this library as it is today, I'd be happy to help :)
The text was updated successfully, but these errors were encountered: