Loading ...
Sorry, an error occurred while loading the content.

3055Re: [Cheetahtemplate-discuss] PTL/Cheetah article

Expand Messages
  • Mike Orr
    Aug 3, 2005
    • 0 Attachment
      Shannon -jj Behrens wrote:

      >You bring up a good point about auto escaping. I read about session
      >injection attacks <http://www.acros.si/papers/session_fixation.pdf>,
      >and a single XSS vulnerability anywhere within some
      >subdomain.example.com makes it possible to hijack sessions for
      >anyothersubdomain.example.com. It's probably better if we start
      >erring on the side of overcaution when it comes to HTML escaping
      >things.
      >
      >

      Tavis would have to add the htmlttext module, perhaps under
      Cheetah.Utils . I don't know how he feels about that.

      If we include the C version, it would be one more thing to compile, but
      I suppose that's no big deal.

      >Hence, I think that perhaps:
      >
      >- a NameMapper filter should automatically escape things as you laid
      >out in your article
      >
      >

      Perhaps we can come up with a better name than HtmltextFilter.
      WebSafer? IntelligentWebSafe? Just kidding.

      >- each Cheetah method should return an htmltext instance so that its
      >content doesn't get re-escaped
      >
      >

      I suppose. It certainly works to assign htmltext instances as
      placeholder values. There may be an argument that we shouldn't presume
      that about all #def results, although PTL does the equivalent. The
      application I used the filter in doesn't have any #def methods so the
      issue never came up. But if a method result is fed to a function that
      insists on a string, there would be problems. I don't know how many of
      that sort of expectation ppl build into their templates.

      Of course, PTL also distinguishes between html functions and plain
      functions. Plain functions don't get any escaping. Cheetah doesn't
      have a formal way to distinguish between HTML output and non-HTML
      output. If it did we could make HtmltextFilter the default for HTML output.

      -- Mike Orr <mso@...>


      -------------------------------------------------------
      SF.Net email is Sponsored by the Better Software Conference & EXPO
      September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
      Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
      Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
      _______________________________________________
      Cheetahtemplate-discuss mailing list
      Cheetahtemplate-discuss@...
      https://lists.sourceforge.net/lists/listinfo/cheetahtemplate-discuss
    • Show all 3 messages in this topic