You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@freemarker.apache.org by GitBox <gi...@apache.org> on 2019/09/19 03:47:17 UTC

[GitHub] [freemarker] tokuhirom opened a new pull request #60: Make `js_string` more safety.

tokuhirom opened a new pull request #60:  Make `js_string` more safety.
URL: https://github.com/apache/freemarker/pull/60
 
 
   I want to escape the `'` and `"` in hex way.
   
   For example, there's a template like this.
   
       <!doctype html>
       <html>
           <#assign v='"<svg/onload=alert(3)>'>
           <body foo="${v?js_string}">
           </body>
       </html>
   
   Rendering result is the following. This HTML shows alerting dialog when you open it on the web browser.
   It means an attacker can use this for stealing a cookie.
   
       <!doctype html>
       <html>
           <body foo='\'<svg/onload=alert(3)>'>
           </body>
       </html>
   
   I know it's a programming issue. Users should use `?html` filter in this context.
   But some programmers sometimes forgot to apply the filter.
   
   The freemarker can reduce the security risk with this patch.
   
   Rendering result with this patch is here:
   
       <!doctype html>
       <html>
           <body foo='\x22<svg/onload=alert(3)>'>
           </body>
       </html>

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services