Incorporating section from Mike W
This commit is contained in:
Jay McCarthy
parent
6b519f7b64
commit
ab45f4f1db
|
|
@ -256,6 +256,84 @@ issue for you called @racket[in]:
|
||||||
}|
|
}|
|
||||||
Notice how it also avoids the absurd amount of punctuation on line two.
|
Notice how it also avoids the absurd amount of punctuation on line two.
|
||||||
|
|
||||||
|
@section{Escaping}
|
||||||
|
|
||||||
|
@margin-note{Thanks to Michael W. for this section.}
|
||||||
|
|
||||||
|
Because templates are useful for many things (scripts, CSS, HTML,
|
||||||
|
etc), the Web Server does not assume that the template is for XML-like
|
||||||
|
content. Therefore when when templates are expanded, no
|
||||||
|
XML escaping is done by default. Beware of @emph{cross-site scripting}
|
||||||
|
vulnerabilities! For example, suppose a servlet serves the following
|
||||||
|
template where @racket[_some-variable] is an input string supplied by
|
||||||
|
the client:
|
||||||
|
|
||||||
|
@verbatim[#:indent 2]|{
|
||||||
|
<html>
|
||||||
|
<head><title>Fastest Templates in the West!</title></head>
|
||||||
|
<body>
|
||||||
|
@some-variable
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
}|
|
||||||
|
|
||||||
|
If the servlet contains something like the following:
|
||||||
|
|
||||||
|
@racketblock[
|
||||||
|
(let ([some-variable (get-input-from-user)])
|
||||||
|
(include-template "static.htm"))
|
||||||
|
]
|
||||||
|
|
||||||
|
There is nothing to prevent an attacker from entering
|
||||||
|
@litchar["<script type=\"text/javascript\">...</script>"] to make the
|
||||||
|
template expand into:
|
||||||
|
|
||||||
|
@verbatim[#:indent 2]|{
|
||||||
|
<html>
|
||||||
|
<head><title>Fastest Templates in the West!</title></head>
|
||||||
|
<body>
|
||||||
|
<script type="text/javascript">...</script>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
}|
|
||||||
|
|
||||||
|
Now the server will send the attacker's code to millions of innocent
|
||||||
|
users. To keep this from happening when serving HTML, use the
|
||||||
|
@racket[xexpr->string] function from the @racketmodname[xml] module.
|
||||||
|
|
||||||
|
This can be done in the servlet:
|
||||||
|
|
||||||
|
@racketblock[
|
||||||
|
(require xml)
|
||||||
|
|
||||||
|
(let ([some-variable (xexpr->string (get-input-from-user))])
|
||||||
|
(include-template "static.htm"))
|
||||||
|
]
|
||||||
|
|
||||||
|
Alternatively, make the template responsible for its own escaping:
|
||||||
|
|
||||||
|
@verbatim[#:indent 2]|{
|
||||||
|
<html>
|
||||||
|
<head><title>Fastest Templates in the West!</title></head>
|
||||||
|
<body>
|
||||||
|
@(xexpr->string some-variable)
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
}|
|
||||||
|
|
||||||
|
The improved version renders as:
|
||||||
|
|
||||||
|
@verbatim[#:indent 2]|{
|
||||||
|
<html>
|
||||||
|
<head><title>Fastest Templates in the West!</title></head>
|
||||||
|
<body>
|
||||||
|
<script type=\"text/javascript\">...</script>
|
||||||
|
</body>
|
||||||
|
</html>
|
||||||
|
}|
|
||||||
|
|
||||||
|
When writing templates, always remember to escape user-supplied input.
|
||||||
|
|
||||||
@section{HTTP Responses}
|
@section{HTTP Responses}
|
||||||
|
|
||||||
The quickest way to generate an HTTP response from a template is using
|
The quickest way to generate an HTTP response from a template is using
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user