You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Sep 5, 2018. It is now read-only.
Copy file name to clipboardExpand all lines: README.md
+9-9Lines changed: 9 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,11 +14,11 @@ SecureHandlebars
14
14
## Introduction
15
15
Security is of utmost importance!
16
16
17
-
Imagine a template is written like so: `<a href="{{url}}">{{url}}</a>`. When it is compiled with an untrusted user data like `{url: 'javascript:alert(666)'}`, secure-handlebars automatically applies contextual escaping and generates the HTML `<a href="x-javascript:alert(666)">javascript:alert(666)</a>` as a result.
17
+
Imagine a template is written like so: `<a href="{{url}}">{{url}}</a>`. When it is compiled with an untrusted user data like `{"url": "javascript:alert(666)"}`, secure-handlebars automatically applies contextual escaping and generates the HTML `<a href="x-javascript:alert(666)">javascript:alert(666)</a>` as a result.
18
18
19
-
Clearly, the same `{{url}}`is accurately escaped according to its output contexts to prevent malicious script executions, which otherwise is vulnerable if the original Handlebars is used alone.
19
+
Clearly, the same `{{url}}`must be escaped according to different output contexts to prevent malicious script executions, which otherwise would be vulnerable if the original [Handlebars](http://handlebarsjs.com/) is used alone.
20
20
21
-
This is archived by enhancing the original [Handlebars](http://handlebarsjs.com/) to perform the following major steps:
21
+
This is archived by enhancing the original Handlebars to perform the following steps:
22
22
23
23
24
24
@@ -96,20 +96,20 @@ On the other hand, this utility also faciilates statistics collection. For insta
96
96
npm test
97
97
```
98
98
## Known Limitations & Issues
99
-
- Templates MUST be in UTF-8 encoding and using HTML 5 doctype (i.e., <!doctype html>).
99
+
- Templates MUST be in UTF-8 encoding and using HTML 5 doctype (i.e., `<!doctype html>`).
100
100
- There is no support to the JavaScript contexts and `<style>` tags yet. See the [section](#warnings-and-workarounds) below for details.
101
101
- Our approach involves only static analysis on the template files, and thus data dynamically binded through raw output expressions that may alter the execution context on the rendered HTML CANNOT be taken into account.
102
-
- We now assume that `{{>partial}}` and `{{{{rawblock}}}}`is always placed in the HTML Data context, and by itself will result in the same Data context after its binding (hence, in-state and out-state are both of the data context).
102
+
- We now assume that `{{>partial}}` and `{{{{rawblock}}}}`are always placed in the HTML Data context, and that they will result in the same Data context after data binding (hence, in-state and out-state are both of the data context).
103
103
104
104
### Warnings and Workarounds
105
-
When output expressions are found inside dangerous (yet-to-be-supported) contexts, we echo warnings and gracefully fallback to apply the default Handlebars [`escapeExpression()`](http://handlebarsjs.com/#html-escaping). These warnings are indications of potential security exploits, and thus require closer inspections. Instead of simply abusing raw expressions to suppress the warnings, here are some alternative suggestions to secure your applications.
106
-
- Output placeholder in the `<script>` tag:
105
+
When output expressions are found inside dangerous (yet-to-be-supported) contexts, we echo warnings and gracefully fallback to apply the default Handlebars [`escapeExpression()`](http://handlebarsjs.com/#html-escaping). These warnings are indications of potential security exploits, and thus require closer inspections. Instead of simply abusing `{{{raw_expression}}}` to suppress the warnings, here are some alternative suggestions to secure your applications.
0 commit comments