Not obvious that "structure user_input" risks XSS attacks
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Launchpad itself |
Triaged
|
Low
|
Unassigned |
Bug Description
In page templates:
* <foo tal:content=
* <foo tal:content=
* <foo tal:content=
I don't think it's immediately obvious, to a coder or a reviewer, that that the second of these is dangerous (unless user_input has been filtered beforehand) while the others are not. We have had XSS vulnerabilities before, so this is not a theoretical problem.
Possibly this could be fixed by changing the syntax in an Apps-Hungarian style: "structure" could be renamed to something that includes the word "unsafe", while "fmt:text_to_html" is renamed to something like "fmt:safe_html".
A related partial solution would be for either lint or the test suite to complain if a template contains tal:content=
Changed in launchpad-foundations: | |
status: | New → Triaged |
importance: | Undecided → Low |
I've filed a bug on this elsewhere... I think it was as a Zope 3 enhancement.
Here's what should happen.
- "structure" should always be seen as unsafe. Our code review tools and editors should be configured to highlight the word "structure" in page templates.
- When some piece of Launchpad infrastructure is producing properly escaped HTML, it should be of a special type -- a subclass of unicode -- and the page template system should recognise this and automatically add an implicit "structure".
- There should be a new TAL keyword "unstructured". So, we effectively get the default situation as "the code knows how to tell the template whether a string is structured or not, and we trust the code to escape things properly when necessary". And, we can manually override this in templates using "structured" and "unstructured".
- We can do without "unstructured" if we note that we can just convert a "unicode with structure" into a "unicode", and then the template will escape it.
Doing this requires some changes to how TAL works. So this needs to be accepted upstream in Zope 3. I attempted this many months ago, but other Zope 3 developers didn't really see the point, perhaps because they use page templates a bit differently on their projects.