Adding a few more badcharacters#1083
Adding a few more badcharacters#1083mrbrutti wants to merge 2 commits intohandlebars-lang:masterfrom
Conversation
- Adding these special characters to support better escaping. Testing adding also more characters that could result on XSS, such as ";", "(" and ")" . Currently this library is vulnerable to attacks such as <a href={{foo}}/> where foo is "test onload=alert(1)" resulting on the string <a href=test onload=alert(1)/>
|
This method is intended for escaping HTML content only, not javascript. Could you show me an example of what you are using this for that you'd like this change? |
|
Well, I was adding a few more cases to add common special characters that most libraries include. With that said, I found this when I was testing this edge case |
|
Ping me at kpdecker at gmail with the repo case.
|
|
Sorry that was formatted oddly in my email. No need to ping. This isn't the right fix as you are escaping to a different language and thus creating invalid data. Escaping = would be sufficient to mitigate, no? |
|
I was going to send another patch escaping ‘(‘ , ')’ and ‘=‘. The reason why I added the other special characters as well is because technically those should be escaped as well, but it could potentially break things if someone is trying to paste something on With that said, technically this is more of a fault from developers not inserting the correct “ or ‘ to contain the value of the html Attribute, but it is such a common usage that I think you should try to fix it, by escaping a few more characters as you mentioned and I have recommended above. |
|
Thanks for bringing this up. I went with the |
2 participants
It would be interesting to contemplate adding even more characters.