From 29f0c0607ad3d25491f4c4a6ca19b463610ae92d Mon Sep 17 00:00:00 2001 From: René Kijewski Date: Tue, 1 Feb 2022 15:32:37 +0100 Subject: Make json filter safe Previously the built-in json filter had an issue that made it unsafe to use in HTML data. When used in HTML attributes an attacker who is able to supply an arbitrary string that should be JSON encoded could close the containing HTML element e.g. with `""`, and write arbitrary HTML code afterwards as long as they use apostrophes instead of quotation marks. The programmer could make this use case safe by explicitly escaping the JSON result: `{{data|json|escape}}`. In a `"`. This PR fixes the problem by always escaping less-than, greater-than, ampersand, and apostrophe characters using their JSON unicode escape sequence `\u00xx`. Unless the programmer explicitly uses the safe filter, quotation marks are HTML encoded as `"`. In scripts the programmer should use the safe filter, otherwise not. --- askama_escape/Cargo.toml | 3 +++ askama_escape/src/lib.rs | 56 ++++++++++++++++++++++++++++++++++++++++++++---- 2 files changed, 55 insertions(+), 4 deletions(-) (limited to 'askama_escape') diff --git a/askama_escape/Cargo.toml b/askama_escape/Cargo.toml index ed7148c..643f81a 100644 --- a/askama_escape/Cargo.toml +++ b/askama_escape/Cargo.toml @@ -17,6 +17,9 @@ maintenance = { status = "actively-developed" } [dev-dependencies] criterion = "0.3" +[features] +json = [] + [[bench]] name = "all" harness = false diff --git a/askama_escape/src/lib.rs b/askama_escape/src/lib.rs index ad08e55..1788843 100644 --- a/askama_escape/src/lib.rs +++ b/askama_escape/src/lib.rs @@ -1,10 +1,7 @@ -#![no_std] +#![cfg_attr(not(any(feature = "json", test)), no_std)] #![deny(elided_lifetimes_in_paths)] #![deny(unreachable_pub)] -#[cfg(test)] -extern crate std; - use core::fmt::{self, Display, Formatter, Write}; use core::str; @@ -175,6 +172,57 @@ pub trait Escaper { const FLAG: u8 = b'>' - b'"'; +/// Escape chevrons, ampersand and apostrophes for use in JSON +#[cfg(feature = "json")] +#[derive(Debug, Clone, Default)] +pub struct JsonEscapeBuffer(Vec); + +#[cfg(feature = "json")] +impl JsonEscapeBuffer { + pub fn new() -> Self { + Self(Vec::new()) + } + + pub fn finish(self) -> String { + unsafe { String::from_utf8_unchecked(self.0) } + } +} + +#[cfg(feature = "json")] +impl std::io::Write for JsonEscapeBuffer { + fn write(&mut self, bytes: &[u8]) -> std::io::Result { + macro_rules! push_esc_sequence { + ($start:ident, $i:ident, $self:ident, $bytes:ident, $quote:expr) => {{ + if $start < $i { + $self.0.extend_from_slice(&$bytes[$start..$i]); + } + $self.0.extend_from_slice($quote); + $start = $i + 1; + }}; + } + + self.0.reserve(bytes.len()); + let mut start = 0; + for (i, b) in bytes.iter().enumerate() { + match *b { + b'&' => push_esc_sequence!(start, i, self, bytes, br#"\u0026"#), + b'\'' => push_esc_sequence!(start, i, self, bytes, br#"\u0027"#), + b'<' => push_esc_sequence!(start, i, self, bytes, br#"\u003c"#), + b'>' => push_esc_sequence!(start, i, self, bytes, br#"\u003e"#), + _ => (), + } + } + if start < bytes.len() { + self.0.extend_from_slice(&bytes[start..]); + } + Ok(bytes.len()) + } + + fn flush(&mut self) -> std::io::Result<()> { + Ok(()) + } +} + #[cfg(test)] mod tests { use super::*; -- cgit