3055Re: [Cheetahtemplate-discuss] PTL/Cheetah article
- Aug 3, 2005Shannon -jj Behrens wrote:
>You bring up a good point about auto escaping. I read about sessionTavis would have to add the htmlttext module, perhaps under
>injection attacks <http://www.acros.si/papers/session_fixation.pdf>,
>and a single XSS vulnerability anywhere within some
>subdomain.example.com makes it possible to hijack sessions for
>anyothersubdomain.example.com. It's probably better if we start
>erring on the side of overcaution when it comes to HTML escaping
Cheetah.Utils . I don't know how he feels about that.
If we include the C version, it would be one more thing to compile, but
I suppose that's no big deal.
>Hence, I think that perhaps:Perhaps we can come up with a better name than HtmltextFilter.
>- a NameMapper filter should automatically escape things as you laid
>out in your article
WebSafer? IntelligentWebSafe? Just kidding.
>- each Cheetah method should return an htmltext instance so that itsI suppose. It certainly works to assign htmltext instances as
>content doesn't get re-escaped
placeholder values. There may be an argument that we shouldn't presume
that about all #def results, although PTL does the equivalent. The
application I used the filter in doesn't have any #def methods so the
issue never came up. But if a method result is fed to a function that
insists on a string, there would be problems. I don't know how many of
that sort of expectation ppl build into their templates.
Of course, PTL also distinguishes between html functions and plain
functions. Plain functions don't get any escaping. Cheetah doesn't
have a formal way to distinguish between HTML output and non-HTML
output. If it did we could make HtmltextFilter the default for HTML output.
-- Mike Orr <mso@...>
SF.Net email is Sponsored by the Better Software Conference & EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile & Plan-Driven Development * Managing Projects & Teams * Testing & QA
Security * Process Improvement & Measurement * http://www.sqe.com/bsce5sf
Cheetahtemplate-discuss mailing list
- << Previous post in topic