-
Notifications
You must be signed in to change notification settings - Fork 144
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Context-aware escaping #181
Labels
Comments
Sorry about the delay. Yeah, I've come around to accepting that this is an issue. We can make some simplifications, as e.g. the lack of legacy code allows us to simply reject cases we don't understand. But overall this will need a lot of design work. Relevant links: |
8 tasks
lambda-fairy
changed the title
Escaping in <style> and <script> is strictly wrong
Context-aware escaping
Apr 24, 2021
This was referenced Apr 24, 2021
Closed
Some notes before I forget:
|
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The HTML spec defines
<style>
and<script>
as 'raw text elements', meaning that escapes in their bodies are not processed (hence, e.g.,span:before { content: "Hello!" }
cannot be escaped tospan:before { content: "Hello!" }
- try it in a browser if you don't believe me).This is a potential footgun with
maud
: the path of less resistance, lettingmaud
do the escaping, means that the scripts and styles get mangled; however, naively usingPreEscaped
could theoretically introduce an XSS vulnerability because then there's no check for an errant</
.This is related to #88. I'm afraid that the HTML syntax is so complicated that there's no way to avoid a certain amount of context-awareness here. I don't know what the ideal API looks like, or even if
maud
can do much better, but at the very least the docs should point out the footgun here.The text was updated successfully, but these errors were encountered: