diff options
author | René Kijewski <kijewski@library.vetmed.fu-berlin.de> | 2022-02-01 15:32:37 +0100 |
---|---|---|
committer | Dirkjan Ochtman <dirkjan@ochtman.nl> | 2022-02-16 14:51:39 +0100 |
commit | 29f0c0607ad3d25491f4c4a6ca19b463610ae92d (patch) | |
tree | 8b7049e2a197dcf75c1498ac8e6cdcc9bea866ea /testing | |
parent | 781b32d2c94279a51e74e85d8581491e52db212d (diff) | |
download | askama-29f0c0607ad3d25491f4c4a6ca19b463610ae92d.tar.gz askama-29f0c0607ad3d25491f4c4a6ca19b463610ae92d.tar.bz2 askama-29f0c0607ad3d25491f4c4a6ca19b463610ae92d.zip |
Make json filter safe
Previously the built-in json filter had an issue that made it unsafe to
use in HTML data. When used in HTML attributes an attacker who is able
to supply an arbitrary string that should be JSON encoded could close
the containing HTML element e.g. with `"</div>"`, and write arbitrary
HTML code afterwards as long as they use apostrophes instead of
quotation marks. The programmer could make this use case safe by
explicitly escaping the JSON result: `{{data|json|escape}}`.
In a `<script>` context the json filter was not usable at all, because
in scripts HTML escaped entities are not parsed outside of XHTML
documents. Without using the safe filter an attacker could close the
current script using `"</script>"`.
This PR fixes the problem by always escaping less-than, greater-than,
ampersand, and apostrophe characters using their JSON unicode escape
sequence `\u00xx`. Unless the programmer explicitly uses the safe
filter, quotation marks are HTML encoded as `"`. In scripts the
programmer should use the safe filter, otherwise not.
Diffstat (limited to 'testing')
-rw-r--r-- | testing/templates/json.html | 2 | ||||
-rw-r--r-- | testing/tests/filters.rs | 60 | ||||
-rw-r--r-- | testing/tests/whitespace.rs | 4 |
3 files changed, 64 insertions, 2 deletions
diff --git a/testing/templates/json.html b/testing/templates/json.html index 250b7be..a1855ca 100644 --- a/testing/templates/json.html +++ b/testing/templates/json.html @@ -1,4 +1,4 @@ { "foo": "{{ foo }}", - "bar": {{ bar|json }} + "bar": {{ bar|json|safe }} } diff --git a/testing/tests/filters.rs b/testing/tests/filters.rs index be3e0ab..7973f45 100644 --- a/testing/tests/filters.rs +++ b/testing/tests/filters.rs @@ -250,3 +250,63 @@ fn test_filter_truncate() { }; assert_eq!(t.render().unwrap(), "alpha baralpha..."); } + +#[cfg(feature = "serde-json")] +#[derive(Template)] +#[template(source = r#"<li data-name="{{name|json}}"></li>"#, ext = "html")] +struct JsonAttributeTemplate<'a> { + name: &'a str, +} + +#[cfg(feature = "serde-json")] +#[test] +fn test_json_attribute() { + let t = JsonAttributeTemplate { + name: r#""><button>Hacked!</button>"#, + }; + assert_eq!( + t.render().unwrap(), + r#"<li data-name=""\"\u003e\u003cbutton\u003eHacked!\u003c/button\u003e""></li>"# + ); +} + +#[cfg(feature = "serde-json")] +#[derive(Template)] +#[template(source = r#"<li data-name='{{name|json|safe}}'></li>"#, ext = "html")] +struct JsonAttribute2Template<'a> { + name: &'a str, +} + +#[cfg(feature = "serde-json")] +#[test] +fn test_json_attribute2() { + let t = JsonAttribute2Template { + name: r#"'><button>Hacked!</button>"#, + }; + assert_eq!( + t.render().unwrap(), + r#"<li data-name='"\u0027\u003e\u003cbutton\u003eHacked!\u003c/button\u003e"'></li>"# + ); +} + +#[cfg(feature = "serde-json")] +#[derive(Template)] +#[template( + source = r#"<script>var user = {{name|json|safe}}</script>"#, + ext = "html" +)] +struct JsonScriptTemplate<'a> { + name: &'a str, +} + +#[cfg(feature = "serde-json")] +#[test] +fn test_json_script() { + let t = JsonScriptTemplate { + name: r#"</script><button>Hacked!</button>"#, + }; + assert_eq!( + t.render().unwrap(), + r#"<script>var user = "\u003c/script\u003e\u003cbutton\u003eHacked!\u003c/button\u003e"</script>"# + ); +} diff --git a/testing/tests/whitespace.rs b/testing/tests/whitespace.rs index ca72b23..cbcddd7 100644 --- a/testing/tests/whitespace.rs +++ b/testing/tests/whitespace.rs @@ -1,3 +1,5 @@ +#![cfg(feature = "serde-json")] + use askama::Template; #[derive(askama::Template, Default)] @@ -37,5 +39,5 @@ fn test_extra_whitespace() { let mut template = AllowWhitespaces::default(); template.nested_1.nested_2.array = &["a0", "a1", "a2", "a3"]; template.nested_1.nested_2.hash.insert("key", "value"); - assert_eq!(template.render().unwrap(), "\n0\n0\n0\n0\n\n\n\n0\n0\n0\n0\n0\n\na0\na1\nvalue\n\n\n\n\n\n[\n \"a0\",\n \"a1\",\n \"a2\",\n \"a3\"\n]\n[\n \"a0\",\n \"a1\",\n \"a2\",\n \"a3\"\n][\n \"a0\",\n \"a1\",\n \"a2\",\n \"a3\"\n]\n[\n \"a1\"\n][\n \"a1\"\n]\n[\n \"a1\",\n \"a2\"\n][\n \"a1\",\n \"a2\"\n]\n[\n \"a1\"\n][\n \"a1\"\n]1-1-1\n3333 3\n2222 2\n0000 0\n3333 3\n\ntruefalse\nfalsefalsefalse\n\n\n\n\n\n\n\n\n\n\n\n\n\n"); + assert_eq!(template.render().unwrap(), "\n0\n0\n0\n0\n\n\n\n0\n0\n0\n0\n0\n\na0\na1\nvalue\n\n\n\n\n\n[\n "a0",\n "a1",\n "a2",\n "a3"\n]\n[\n "a0",\n "a1",\n "a2",\n "a3"\n][\n "a0",\n "a1",\n "a2",\n "a3"\n]\n[\n "a1"\n][\n "a1"\n]\n[\n "a1",\n "a2"\n][\n "a1",\n "a2"\n]\n[\n "a1"\n][\n "a1"\n]1-1-1\n3333 3\n2222 2\n0000 0\n3333 3\n\ntruefalse\nfalsefalsefalse\n\n\n\n\n\n\n\n\n\n\n\n\n\n"); } |