Re: security audit

Friday, May 30, 2003, 7:14:48 PM, Will Glass-Husain wrote:

> Hi,
>
> Great comments!  I'll definitely write up a summary in a few days.
>
> I forgot one more important security issue -- cross-site scripting 
> vulnerabilities.
>
> Anytime you display text that derives from user input on the velocity page, 
> you need to escape all the HTML characters (&, <, >, ").  Otherwise a 
> malicious end user can insert javascript that
> displays on a third user's browser window.    Here's a short article on the 
> problem.
> http://msdn.microsoft.com/workshop/author/dhtml/sec_dhtml.asp#xsite
>
> The solution is to write a tool that substitutes the characters and always 
> use it to display user input.
>     $HTMLMultiLine.escape($textfromuser)
>
> For added convenience, make a similar method that changes carraige returns to 
> <br>'s for greater readability.  If anyone wants sample code for a tool that 
> does this, let me know.
>     $HTMLMultiLine.escapeMultiLine($textfromuser)

Or rather, since most data that comes from the context is not HTML but
plain text, interpolations ($foo) should be implicitly escaped. So the
HTML authors can't forget about this. The exceptional situation is when
a variable *does* store text of HTML format, in which case the escaping
should be prevented explicitly by the template author ($noescape($foo)
or something like that).

A good solution for the above would be the usage of a parse-time
directive, as:

#escape("html")
  ... Tons of HTML here...
  ... interpolations will be implicitly escaped
#end

-- 
Best regards,
 Daniel Dekany