aboutsummaryrefslogtreecommitdiffstats
path: root/testing/templates/operators.html
diff options
context:
space:
mode:
authorLibravatar René Kijewski <kijewski@library.vetmed.fu-berlin.de>2022-02-01 15:32:37 +0100
committerLibravatar Dirkjan Ochtman <dirkjan@ochtman.nl>2022-02-16 14:51:39 +0100
commit29f0c0607ad3d25491f4c4a6ca19b463610ae92d (patch)
tree8b7049e2a197dcf75c1498ac8e6cdcc9bea866ea /testing/templates/operators.html
parent781b32d2c94279a51e74e85d8581491e52db212d (diff)
downloadaskama-29f0c0607ad3d25491f4c4a6ca19b463610ae92d.tar.gz
askama-29f0c0607ad3d25491f4c4a6ca19b463610ae92d.tar.bz2
askama-29f0c0607ad3d25491f4c4a6ca19b463610ae92d.zip
Make json filter safe
Previously the built-in json filter had an issue that made it unsafe to use in HTML data. When used in HTML attributes an attacker who is able to supply an arbitrary string that should be JSON encoded could close the containing HTML element e.g. with `"</div>"`, and write arbitrary HTML code afterwards as long as they use apostrophes instead of quotation marks. The programmer could make this use case safe by explicitly escaping the JSON result: `{{data|json|escape}}`. In a `<script>` context the json filter was not usable at all, because in scripts HTML escaped entities are not parsed outside of XHTML documents. Without using the safe filter an attacker could close the current script using `"</script>"`. This PR fixes the problem by always escaping less-than, greater-than, ampersand, and apostrophe characters using their JSON unicode escape sequence `\u00xx`. Unless the programmer explicitly uses the safe filter, quotation marks are HTML encoded as `&quot`. In scripts the programmer should use the safe filter, otherwise not.
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions