how to escape {{ symbols?

[Тимур Бухараев <bu...@gmail.com>]

I use AngularJS and Tapestry 5.3 in my web project.

The problem is next:
1. User inputs some data in text field, for example his profile
description, and post it to server.
2. Profile description renders with tapestry variable:
<div>$description<div>
3. if $description contains some text like this "{{
<script>alert("Hehe!");</script> }}", AngularJS starts interpret this, and
it is a big security problem.

Tapestry escapes standard html symbols: < replaces with &lt and so on. So
if user inputs some html tags, tapestry decorates it and it is great. I
want replace '{' symbol with &#123;

I found class AbstractMarkupModel in source, which doing this decorating
work.

The question is: how replace behavior of AbstractMarkupMode.encode to
support decoration of {{ symbol?

Re: how to escape {{ symbols?

[Bob Harner <bo...@gmail.com>]

The caveat there is that PageElementFactoryImpl and PageElementFactory
are both internal classes that in theory could change without notice.

On Mon, Mar 23, 2015 at 12:18 PM, Lance Java <la...@googlemail.com> wrote:
> I'm guessing you could override the PageElementFactory with a custom
> implementation. You could extend PageElementFactoryImpl and override
> newExpansionElement. I'm guessing you might wrap Binding.get() to escape
> "{{" if the binding type is String.
>  On 19 Mar 2015 15:36, "Тимур Бухараев" <bu...@gmail.com> wrote:
>
>> I use AngularJS and Tapestry 5.3 in my web project.
>>
>> The problem is next:
>> 1. User inputs some data in text field, for example his profile
>> description, and post it to server.
>> 2. Profile description renders with tapestry variable:
>> <div>$description<div>
>> 3. if $description contains some text like this "{{
>> <script>alert("Hehe!");</script> }}", AngularJS starts interpret this, and
>> it is a big security problem.
>>
>> Tapestry escapes standard html symbols: < replaces with &lt and so on. So
>> if user inputs some html tags, tapestry decorates it and it is great. I
>> want replace '{' symbol with &#123;
>>
>> I found class AbstractMarkupModel in source, which doing this decorating
>> work.
>>
>> The question is: how replace behavior of AbstractMarkupMode.encode to
>> support decoration of {{ symbol?
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org

Re: how to escape {{ symbols?

[Lance Java <la...@googlemail.com>]

I'm guessing you could override the PageElementFactory with a custom
implementation. You could extend PageElementFactoryImpl and override
newExpansionElement. I'm guessing you might wrap Binding.get() to escape
"{{" if the binding type is String.
 On 19 Mar 2015 15:36, "Тимур Бухараев" <bu...@gmail.com> wrote:

> I use AngularJS and Tapestry 5.3 in my web project.
>
> The problem is next:
> 1. User inputs some data in text field, for example his profile
> description, and post it to server.
> 2. Profile description renders with tapestry variable:
> <div>$description<div>
> 3. if $description contains some text like this "{{
> <script>alert("Hehe!");</script> }}", AngularJS starts interpret this, and
> it is a big security problem.
>
> Tapestry escapes standard html symbols: < replaces with &lt and so on. So
> if user inputs some html tags, tapestry decorates it and it is great. I
> want replace '{' symbol with &#123;
>
> I found class AbstractMarkupModel in source, which doing this decorating
> work.
>
> The question is: how replace behavior of AbstractMarkupMode.encode to
> support decoration of {{ symbol?
>

Re: how to escape {{ symbols?

[Bob Harner <bo...@gmail.com>]

Hmm... interesting problem. I'm not sure it's a good idea to provide a
custom MarkupModel class (even if it's somehow possible to do without
modifying Tapestry source), because the MarkupModel is really tied to
the document type, and you are not really generating a custom document
type. Instead, I think you just need to modify user input as it is
submitted. You could do that on a per-form-field basis by changing
user-submitted values with a simple String.replace in an
onValidateFrom... method in your page or component class. Or, if you
want the behavior to apply across all forms in your application, you
could write a Tapestry HttpServletRequestFilter that looks at all
submitted data and potentially modifies it. You could adapt this
example from Mike Gentry to suit your purposes:
https://gist.github.com/mrg/8943683

On Thu, Mar 19, 2015 at 11:33 AM, Тимур Бухараев <bu...@gmail.com> wrote:
> I use AngularJS and Tapestry 5.3 in my web project.
>
> The problem is next:
> 1. User inputs some data in text field, for example his profile
> description, and post it to server.
> 2. Profile description renders with tapestry variable:
> <div>$description<div>
> 3. if $description contains some text like this "{{
> <script>alert("Hehe!");</script> }}", AngularJS starts interpret this, and
> it is a big security problem.
>
> Tapestry escapes standard html symbols: < replaces with &lt and so on. So
> if user inputs some html tags, tapestry decorates it and it is great. I
> want replace '{' symbol with &#123;
>
> I found class AbstractMarkupModel in source, which doing this decorating
> work.
>
> The question is: how replace behavior of AbstractMarkupMode.encode to
> support decoration of {{ symbol?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tapestry.apache.org
For additional commands, e-mail: users-help@tapestry.apache.org