This repository has been archived by the owner on Jul 13, 2022. It is now read-only.
google/py-html-contextual-escaping
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
<!doctype html> <html> <head> <meta encoding="utf-8"> <title>Py HTML Contextual Autoescaping</title> <script src="https://google-code-prettify.googlecode.com/svn/loader/run_prettify.js"></script> </head> <body> <h1>A contextual autoescaper for HTML</h1> <h2>Runtime auto-escaping</h2> <p>If analysis can't be done when a template is compiled, this module provides a file-like object that provides two methods:</p> <pre class="prettyprint"> write_safe(**strings) # Called with strings that appear in template write(**values) # Called with values supplied by caller at runtime </pre> <p>so that the sequence of calls generated by a template</p> <pre class="prettyprint"> <b><i>{{ x }}</i></b> <button onclick=foo(<i>{{ y }}</i>)> </pre> produce <pre class="prettyprint"> w.write_safe('<b>') w.write('I <3 Ponies!') w.write_safe('</b>\n<button onclick=foo(') w.write({'foo': 'bar', '"baz"': 42}) w.write_safe(')>') </pre> <p>results in the output</p> <pre class="prettyprint"> <b>I &lt;3 Ponies!</b> <button onclick="foo({&#34;foo&#34;:&#34;\x22bar\x22&#34;:42})"> </pre> <p> The safe parts are treated as literal chunks of HTML/CSS/JS, and the unsafe parts are escaped to preserve security and least-surprise. For a more comprehensive example, a template like </p> <pre class="prettyprint"> <div style="color: {{user.color}}"> <a href="/{{user.color}}?q={{$user.world}}" onclick="alert('{{helper(user)}}');return false"> {{helper(user)}} </a> <script>(function () { // Sleepy developers put sensitive info in comments. var o = {{user}}, w = "{{user.world}}"; })();</script> </div> {{template helper}} Hello, {{user.world}} {{/template}} </pre> <p>might correspond to the sequence of calls</p> <pre class="prettyprint"> # Dummy input values. user = { "world": "<Cincinatti>", "color": "blue" } color = user["color"] world = user["world"] # Alternating safe and unsafe writes that implement the template. w.write_safe("<div style=\"color: ") w.write (color) w.write_safe("\">\n<a href=\"/") w.write (color) w.write_safe("?q=") w.write (world) w.write_safe("\"\n onclick=\"alert('") helper (w, user) w.write_safe("');return false\">\n ") helper (w, user) # Helper called in a different context w.write_safe("\n </a>\n <script>(function () {\n var o = ") w.write (user) w.write_safe(",\n w = \"") w.write (world) w.write_safe("\";\n })();</script>\n</div>") </pre> <p>which result in the output</p> <pre class="prettyprint"> <div style="color: blue"> <a href="/blue?q=%3cCincinatti%3e" onclick="alert('Hello, \x3cCincinatti\x3e!');return false"> Hello, <Cincinatti>! </a> <script>(function () { var o = {"Color":"blue","World":"\u003cCincinatti\u003e"}, w = "\x26lt;Cincinatti\x26gt;"; })();</script> </div> </pre> <h2>Static auto-escaping</h2> <p>If a template system's call-graph is readily statically analyzable, the <tt>escape</tt> module can be used to propagate context and pick an escaper for each interpolation of an untrusted value into the template output. </html>
About
Automatically exported from code.google.com/p/py-html-contextual-escaping
Resources
Code of conduct
Security policy
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published