|
7 | 7 | <link rel="stylesheet" href="checker.css"> |
8 | 8 | <script src="js-yaml.min.js"></script> |
9 | 9 | <script src="checker.js"></script> |
| 10 | +<script src="xss.js"></script> |
10 | 11 | <link rel="license" href="https://creativecommons.org/licenses/by/4.0/"> |
11 | 12 |
|
12 | 13 | <!-- See create_labs.md for how to create your own lab! --> |
13 | 14 |
|
14 | | -<!-- Sample expected answer --> |
15 | | -<script id="expected0" type="plain/text"> |
16 | | - autoescape=select_autoescape() |
17 | | -</script> |
18 | | -<script id="expected1" type="plain/text"> |
19 | | - <h1>Hello {{ person }}!</h1> |
20 | | -</script> |
21 | | -<script id="expected2" type="plain/text"> |
22 | | - result = Markup('Original name=') + name |
23 | | -</script> |
24 | | - |
25 | | -<!-- Full pattern of correct answer --> |
26 | | -<!-- TODO --> |
27 | | -<script id="correct0" type="plain/text"> |
28 | | -\s* autoescape = select_autoescape \( \) \s* |
29 | | -</script> |
30 | | -<script id="correct1" type="plain/text"> |
31 | | -\s* < h1 >Hello\x20{{ person }}!< /h1 > \s* |
32 | | -</script> |
33 | | -<script id="correct2" type="plain/text"> |
34 | | -\s* result = Markup \( ('Original name='|"Original name=") \) \+ name \s* |
35 | | -</script> |
36 | | - |
37 | | -<script id="info" type="application/yaml"> |
38 | | ---- |
39 | | -hints: |
40 | | -- absent: |- |
41 | | - autoescape |
42 | | - text: Add an `autoescape=` parameter. |
43 | | -- present: |- |
44 | | - autoescape [^:\x20] |
45 | | - text: The name `autoescape` needs to be followed by `=`. |
46 | | -- present: |- |
47 | | - (Autoescape|AUTOESCAPE) |
48 | | - text: The name `autoescape` must be in all lowercase. |
49 | | -- present: |- |
50 | | - ([Aa]uto_[Ee]scape|AUTO_ESCAPE) |
51 | | - text: Use `autoescape` in all lowercase with no underscores. |
52 | | -- present: |- |
53 | | - \| safe |
54 | | - index: 1 |
55 | | - text: The text `| safe` indicates that this text is trusted and should |
56 | | - not be escaped further. However, in context this data could be provided |
57 | | - from an attacker and is NOT safe. Remove the marking. |
58 | | -- present: |- |
59 | | - \| |
60 | | - index: 1 |
61 | | - text: The `|` is used to separate the computed value from the safe marking, |
62 | | - but we will not use that marking. Remove the vertical bar. |
63 | | -- present: |- |
64 | | - Markup \(.*\+.*\) |
65 | | - index: 2 |
66 | | - text: Having a concatenation (+) *inside* the call to Markup |
67 | | - is a vulnerability. |
68 | | - The call to Markup presumes we are passing text that is *not* supposed |
69 | | - be escaped. If it is supposed to be escaped, it should be concatenated |
70 | | - outside the initial construction of the Markup object. |
71 | | -- absent: |- |
72 | | - \+ |
73 | | - index: 2 |
74 | | - text: Our expected answer includes concatentation using `+`. |
75 | | - We expect something like `Markup('Original name='` followed by `+` |
76 | | - followed by the variable containing the data that needs to be escaped. |
77 | | -# debug: true |
78 | | -</script> |
79 | 15 | </head> |
80 | 16 | <body> |
81 | 17 | <!-- For GitHub Pages formatting: --> |
|
0 commit comments