Monday, April 18, 2011

Making JQuery templates safe against HTML injection

JQuery templates make it very easy for web app developers to compose HTML to keep their user interface up-to-date, but they make it very hard to do so in a way that is safe against XSS.

E.g. the JQuery template
<a href="{$url}">{$text}</a>
means create a link whose target is the result of url and whose body contains the result of text. JQuery does a lot better than most templating languages; message is assumed to be plain text and automatically encoded so that the page can't be XSSed that way. But it does nothing about url. If an attacker can make url be javascript:alert(1337) they can execute code with the full privileges of the containing page. This is a serious hole as URLs abound in web applications.

So right now, JQuery templates are easy to learn, but they have to be used cautiously. They would be even easier to use if template authors (and the poor maintainers) didn't have to worry about the provenance of data values, and could promiscuously inject into URLs, CSS, and inline JavaScript.

I've been cooking up a way to fix templating languages like JQuery. You can play around with Secure JQuery templates in the playground, or read up on the design which also includes an analysis of the performance of this system as applied to another templating language.

1 comment:

Anonymous said...

It can do really, yet there does exist one primary impact. And also main difference is definitely overall flexibility. Although various two models can just healthy the next informal and sporty take a look, it follow works most occasions you can actually think of. You can test them as a general everyday wrist watch, in addition to a dress up enjoy (however, the particular silicone bracelet must be sidestepped if you would like match the accommodate wax replica watches, your decide one must select the imitation leather and also s / s diamond preferably instead). The greater mobility is produced by your distinctiveness on this watch, specially when taking a look at the bezel fake watches, which is lacking in any kind of pointless numerals and even will keep specifications from a terrific mode. Which is precisely why We also retain curious, the key reason why dedicate any exorbitant level of investment relating to the honest anytime this approach see will serve because great supplement? When i sometimes care mention that i like the second option http://www.attrinity.com, bearing in mind what precisely I am able to undertake with the revenue I help you save. Your different watches no matter what what precisely this term may recommend, are some of the best created these reproductions available. The majority may be astonished to check on this particular, specially when discovering the way in which affordable most of these different watches are. Though, whilst you might learn, selling price is absolutely not a new quantify with regard to level of quality. The most common belief is certainly which usually designer watches are generally consequently inadequately manufactured, the can beginning bursting a part when you first commence wearing these products. I just regularly discover reports about individuals having him or her concerning and by way of the time frame that they allowed to remain your place, those devices completed earning a living or possibly which appreciates what they will finished doing. My organization is not necessarily gonna absolutely exclude this kind of opportunity, because you can certainly still notice avenue hustlers inviting that you take a look at his or her absolutely crammed trunks. If you invest in one of these questionable characters, the alternative involving being seen this worst look at is often a risk.