In the Python ecosystem, there are three popular template render engines: Django's built-in template engine, Jinja2 and Mako.
How good are these render engines against XSS. Is {{ foo }}
enough? Under what sitations do {{ foo }}
fail? The importance of this research is to understand (1) the context-awareness of template engine, if at all,
(2) understand the challenge of encoding in the HTML world, and (3) and best practices when using template
render engine.
- understand quotes, innerHTML injection
- insert
script
viainnerHTML
method is blocked by HTML spec. See 1. - escape
<
,>
,&
,'
, and"
. See 2. - escape characters inside quoted attributes.
- http://jsfiddle.net/hQ6y5/3/, http://jsfiddle.net/ckdM4/
- input =
escape(input)
--> output =unescape(input)
;escape
is a deprecated API. innerHTML
is bad. usetextContent
except in the case of<script>
element.
Content Security Policy (CSP) 1.1 draft introduces script hash and script nouce to help developers to maintain script integrity, espeically for inline scripts. Since most applications today still run with inline scripts, and migrating away from inline script is not not always feasible, how can we defend XSS while enable CSP for the rest of the content?
Most importantly, some inline scripts "reflect" user input and maybe vulnerable to XSS:
<a href={{ foo }}>{{ bar }}</a>
or DOM-based XSS
<script>
// Use hash as id to load resource in a vanilla single-page app
var resId = window.location.href.split("#")[1];
// load content in the next few lines, if error we output an error message (404 sort of)
// ....
// ....
</script>
Is the problem above worthwhile to defend?