I am testing some frontend code, and I can see the code that takes input using the {{}} handlerbars, so if I entered an input = &123 , shouldn't this be converted to &123 and then stored in the server since two double mustache means the characters like '&' is escaped. When I look at the post being send to the server, it still appears as &123.
No, the HTML escaping done by {{}} only has to do with how a value is rendered into the DOM. A string entered using {{input}} is not transformed in any way by Ember, nor should it be.
In general, one does not want to HTML-escape information being held in the DB. The data in the DB should be the actual data. The HTML escaping is something that should be done, as Ember does, "on the way out" when the data is being displayed in an HTML context.
If you really want to keep HTML-escaped data in your server, then you could escape it on the server prior to saving, or perhaps in an Ember serializer. However, when retrieving the data, you'd then have to either unescape it on the server, or send it down the client as is, either unescaping it is the deserializer, or remembering that it is already escaped and putting in the DOM using {{{}}} (triple handlebars).
Related
I'm trying to find something that will return an exception upon finding anything that even remotely looks like HTML or Javascript. I've figured out how to do it for individual views, but it's not a scalable solution, and ultimately I need to prevent code from being saved to the database no matter what view gets targeted by the injection attack.
Here is the functionality I'm looking for.
ILLEGAL_CHARS = '<>[]{}():;,'.split()
# bunch of code in between
for value in [company_name, url, status, information, lt_type, company_source]:
if any(char in value for char in ILLEGAL_CHARS):
raise Exception(f"You passed one of several illegal characters: {ILLEGAL_CHARS}")
I'm using django rest framework so I have to handle it on the backend. Thanks.
actually you don't nead to sanitize any user input because when you show them int the template the jinja {{object}} will make sure that no html or java script will be executed until you mark them as safe {{object|safe}} but if you want want not to save them in database that might help Sanitizing HTML in submitted form data
I can read first party cookies that have set names just fine in Google Tag Manager. However I have come across a few instances where the cookie name is session based and there isn't a name set consistently for me to check against. I want to know if the cookie is set and ideally read the data.
For instance
cookie_name_123456
cookie_name_234567
cookie_name_345678
It doesn't look like the name field takes regular expressions. Anyone know a way to setup GTM to read a cookie like that?
You can create a custom HTML tag with a Javascript that reads the document.cookie property, and split in by the delimiter to get an array with individual cookies (document.cookie.split(";")).
This gives you an Array with all first party cookies that are not flagged as "http only" (those are not accessible with JS). Each array entry will have the format of "cookiename equals value" (e.g. "_ga=GA1.2.1545993750.1587886865" would be the Universal Analytics cookie "_ga" with a client id as value). You can then loop over the array.
Inside the loop you can split each array entry by the "=" sign to get arrays with two elements, [0] for name and 1 for value. You then apply your regex to the name. If the rexeg matches what you are looking for, you can push the value to the dataLayer.
To make sure this has run before the tag that will be using the cookie value, you can use tag sequencing. If you manage your sequence via the onHtmlSuccess() and onHtmlFailure() functions as explained e.g. here in Simo's blog you can set the sequence so that the tags are only fired when the cookie value is actually there.
Alas it is not possible to do this in a custom template, which would be so much more elegant, but the sandboxed JS inside custom templates cannot access global document properties.
When I have to transfer complex values (e.g. a list of dicts) through a Django template to the front end, I typically use json_script to try and prevent XSS vectors.
Recently, I started using lit-element, which has a neat way of pulling attribute values from your custom elements and providing them as properties to your component. You can say:
<my-element items="{{ serialized array of items }}"></my-element>
Then lit-element will take whatever string value is passed to the items attribute and call JSON.parse() on it, so I need a way of serializing my value to JSON.
Since that is relatively trivial in itself, my initial idea was to write a custom template filter and try to match how json_script escapes values. But then I read the source for that function and it explicitly states:
Escape all the HTML/XML special characters with their unicode escapes,
so value is safe to be output anywhere except for inside a tag attribute.
This sounds like attribute values are potentially a more serious XSS vector. So I guess my question is - how to serialize data (in Django/Python) to JSON so it's safe for use in tag attribute values?
I think the reason it says can be used anywhere apart from attributes is that this function doesn't escape speechmarks, this means you would be able to close an attribute and start a new one easily. Django provides the escapejs template tag that escapes speech marks as well.
This function is in the same source that you linked in your question. Following the approach used there should be safe.
How can I perform sanitization on string attributes to prevent XSS? Right now my thoughts are to override my base model's save method and iterate over all the strings in the model and set all the string inputs to safe strings. Would this be a good way to approach this problem or is there a better way?
EDIT:
Problem occurs when saving a name attribute ( alert('xss')) for a person in the app. It saves it in a non-sanitized manner into the database. Then that name is loaded in our other site which does not sanitize the output and that's where the script injection occurs! I'd like to sanitize it before saving it to the DB
Handlebars automatically sanitizes strings. If you want to avoid this, you must explicitly use the triple-brace syntax:
{{{myHtmlString}}}
Rather than trying to sanitise the input, you really ought to change that other site to make sure it html-escapes the data it is presenting from the database. Even if you would "sanitise" things on the Ember side, can you guarantee there are no other vulnerabilities which allow someone to inject HTML in the database?
Always escaping anything being presented is really the only safe way to deal with XSS. If you're filtering input you are very likely to not catch every possible way of injecting unexpected input.
I was thinking about my app's XSS vulnerability. On the server side I don't sanitize either input or output, so
<script>alert(document.cookies)</script>
is stored in database exactly so. To view this value on the client side I use Mustache. If this script was executed by an admin, it is of course easy to hijack his session. However I've noticed that Mustache by default escapes these values & \ " < > when you use the {{}} syntax. Do I need to worry about XSS, when the value from the database would be inserted into
<p>{{value}}</p>
or even
<p data-id='{{value}}'>something</p>
? Should I perhaps review my Mustache templates to look for any vulnerable code, or unless I'd use
<script>{{value}}</script>
I am safe?
Well, you should always worry :) But yes, Mustache accomplishes the goal you are talking about here, protecting your examples from XSS (except where you're outputting the value directly into a <script> tag).
Note: check that the Mustache implementation you're using escapes single quotes. It's apparently not in the spec to do so (https://github.com/mustache/spec/issues/69) but the major implementations thankfully escape it anyway.