http://qs321.pair.com?node_id=680582

moritz has asked for the wisdom of the Perl Monks concerning the following question:

I quite like HTML::Template's and HTML::Template::Compiled's default_escape options.

They take care that any variable in the template is escaped unless specified otherwise. That's nice if you forget to escape your variables (and still don't like XSS).

Is there such an option for Template-Toolkit?

I'm not very familiar with Template toolkit, so I guess it would be some kind of a plugin, and you could write [% variable | unhtml %] or some such to prevent encoding.

(Actually tinita asked that on the 10. German Perl Workshop during her talk on web security and got no answer).

Replies are listed 'Best First'.
Re: default_escape for Template::Toolkit?
by pc88mxer (Vicar) on Apr 15, 2008 at 17:25 UTC
    I created a patch for this about six months ago and discussed it on the TT mailing list. It allows you to write:
    [% GETFILTER '::html_escape' %] ... all gets are now filtered through the function ::html_escape ... Hello, [% name %] [% GETFILTER '' %] ... turn off filtering ... [% END %] ... previous filtering resumes ... [% END %]
    It maintains a stack of filters, and there's no reason why you couldn't pre-initialize it with a default filter.

    At the time it seemed to generate some interest, although not enough for me to do much more with it. Perhaps by now some form of it has made it's way into the latest release - I haven't checked.

      Perhaps by now some form of it has made it's way into the latest release - I haven't checked.

      I grepped the latest release for 'getfilter', no results. So it doesn't seem to be implemented, or at least not with that syntax. I didn't find anything in the Changes file either.

      Thanks for your response anyway.

        It's trivial to implement. Check out the TT mailing list archives for Nov 2007.

        I'm not sure why there wasn't more interest in it. I think this capability would be a great boon for creating robust HTML using TT.

Re: default_escape for Template::Toolkit?
by tinita (Parson) on Apr 16, 2008 at 08:58 UTC
    wow, interesting, that so few seem interested.
    default_escape is IMHO the solution against XSS. since i know it i don't want to miss it. it's so comfortable to create templates while knowing that you can't forget to html-escape. at the same time you often stumble across embarrassing XSS issues on other pages, and you can be sure that this very probably won't happen to you.
    so why seem most of the TT users here not to be interested? what do you do to prevent XSS reliably?

      Personally, I don't accept input from (untrusted) users. But that approach certainly isn't feasible if you want to create a website that allows users to enter data. When I output stuff, I'd really like a way to specify the escaping in the templates like the Free Nodelet allows, by appending &, % etc..

      Something that I'm thinking about from time to time would be a more typed version of Taint mode where you can "color" strings according to their provenience (user input, db input, etc.). You would also need to be able to color the filehandles and other output/system methods accordingly, and a HTML-colored output filehandle would either die fatally when it encounters input in the wrong color or convert the input by html-escaping it.

      To make this idea feasible at all, concatenation with constant strings would need to bleed the color into the result and some translation rules would need to exist. I'm not sure where Perl has hooks for that. I believe Taint mode is implemented through magic, so maybe the colors could be implemented through the same magic, except that a colored string is both tainted ("lead paint") but in a special color.

      what do you do to prevent XSS reliably?
      • Sanitize user input using a accept known good only approach (link to owasp.com). I find Embperl::Form::Validate very useful, although there are many others as well.
      • Flip HTML::Mason's default_escape_flags so that if someone enters:
        <script>load_malicious_javascript_from_hacker_site;</script>
        into a text field in your blog, it is displayed verbatim rather than turned into executable code.
      The OWASP Guide to Building Secure Web Applications version 3 draft is out. Is is certainly an interesting read for those concerned about web application security.
      --
      When you earnestly believe you can compensate for a lack of skill by doubling your efforts, there's no end to what you can't do. [1]
        I think the question was directed at TT users. At least mine was.
        Flip HTML::Mason's default_escape_flags

        That's the point. TT doesn't seem to have such a flag (or at least nobody knows about it). HTML::Template and HTML::Mason (documented in HTML::Mason::Compiler have some default escaping mechanism. So what do the TT users do?

        I can't believe they never forget to escape something and therefore don't need a better solution.

Re: default_escape for Template::Toolkit?
by Arunbear (Prior) on Apr 15, 2008 at 17:52 UTC
      Quite the reverse: I'd like a default escaping mechanism to not escape includes, results of macros and the like, but interpolated variables.
Re: default_escape for Template::Toolkit?
by Rhandom (Curate) on Oct 28, 2013 at 15:20 UTC
    At this point, this node is rather historic (look at this post date vs that of the other posts in this node), but I think as this node is a good historic point of question, that it is worth referencing a recent node that answers the questions. How to test all TT2 tags are escaped.
    my @a=qw(random brilliant braindead); print $a[rand(@a)];