自动转义以防止XSS

Question

(when rendering a HTML template)

<hidden name=”param${ns?htmlattr}” />
<a href=”${url?urlencode}”>${usercontent?htmlencode}</a>
${rawhtml?htmlliteral}
<script>
var a = “${str?jsstr}”; //null becomes “”
var b = ${str?quote,jsstr}; //allow null, render quotes if nonnull
var c = ${func?jsliteral}
var ${func?jsidentifier} = null;
</script>

• jsstr escapes \\t\\b\\f\\n\\r\\\\\\'\\" and </
• jsliteral escapes </
• jsidentifier replaces non-alnum with a dummy character
• xmlattr escapes <>& and filters characters that aren't legal UTF-8
• htmlencode encodes almost all edge cases into stuff like &
• quote causes a string to render out quoted (including empty), or null

A few of these might not be relevant for security--they just help the code stay sane. Which escape mode do we choose as the default to help prevent XSS -- be "more secure" by default? What if we default to the most restrictive (htmlencode) and relax/switch excape modes from there?

I'm not interested in discussing the merits of all these escape modes -- for better or worse, they all exist in our codebase. Am I missing any modes? Any good reading material?

Answer 1

Take a look at http://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/safetemplate.html

That defines contexts in HTML and a mapping from those contexts to escaping functions.

For a runnable example, take a look at http://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/index.html . Try starting with the "Safe HTML" examples from the dropdown menu at the top-right.

To address your specific example, jsliteral looks a little widgy. What benefit do you get from html encoding anything inside a <script> block? The content is CDATA.

What are jsidentifier and jsliteral guarding? Do they stop dangerous identifiers like eval from being assigned? They should probably prevent <!-- in addition to </ since an injected /*<!-- could cause the </script> to be ignored possibly allowing an later interpolation to masquerade as script content.