I just started working with freemarker templates. I want to make sure that they are HTML escaped to avoid XSS vulnerabilities.
I tried using this template and passed anchor tag as a variable
String dummyAnchorTagVariable = "<a href='https://example.com'>Visit mysite</a>"
and used it in freemarker template
<div> ${dummyAnchorTagVariable} </div>
Result of this was seeing whole text including tags on the webpage and not as a link. So I assume that freemarker is HTML escaped by default
But when I try to find the documentation related to it, I don't find it anywhere that says Freemarker is HTML escaped by default
http://freemarker.incubator.apache.org/docs/ref_directive_escape.html
and there is even a blog post (although old) that describes how make it escape by default) http://watchitlater.com/blog/2011/10/default-html-escape-using-freemarker/
So I'm kind of confused about the HTML escaping in Freemarker.
FreeMarker before 2.3.24 is not escaped by default, unless someone is using a custom TemplateLoader that puts the template inside <#escape x as x?html>...</#escape>. If that's what happening in your case, then <#noescape>${dummyAnchorTagVariable}</#noescape> will work, otherwise it will give an error because there's no active #escape to disable.
FreeMarker 2.3.24 can auto-escape without TemplateLoader tricks (as of this writing it's not yet out, but hopefully RC1 comes in days and final in February).
Related
I have a newbie question. I've been recently trying out Django, and I notice that if I ever write a template tag of the sort:
{% if some_var < 10 %}
the < symbol is highlighted in sublime almost as if it's a syntax error (or warning). Now of course it works correctly, but I'm wondering why this highlighting occurs in the first place. Do some browsers have difficulty parsing < when reading HTML code or something? Please enlighten me (and > doesn't get highlighted to make matters worse!).
I'm actually considering writing a custom template tag that performs the "is less than" comparison.
Sublime probably thinks your template is a plain HTML file, in which case < and > are elements of HTML tags and don't make sense anywhere else.
You might be able to manually set the filetype to be a Django template which should fix the highlighting.
Check out the Djaneiro package. It contains an HTML (Django) syntax definition that contains scopes for template tags:
(The color scheme is my Neon Color Scheme, which contains colors specifically for Djaneiro)
Another option is to upgrade to Sublime Text 3, which is highly recommended anyway. The default HTML syntax definition (along with many other languages, including JavaScript, PHP, and Python) has been completely rewritten, and template tags are now ignored:
Classic problem. Want to see html rendered but I'm seeing text in the browser. Whether I tell handlebars js to decode it or not in template ( three curly braces vs two - {{{myHtmlData}}} vs {{myHtmlData}} ) doesn't get me there. Something about the JSON being returned via the model.fetch() has this html data wrapped up in such a way that it is resistant to the notion of displaying as HTML. It's always considered a string whether encoded or decoded so it always displays as text.
Is this just something backbone isn't meant to do?
The technologies involved here are:
backbone.marionette
handlebars.js
.NET Web API
Your data is being escaped automatically. It's a good thing, but since you're sure the data is a safe HTML. Use {{{}}} as in this other question Insert html in a handlebar template without escaping .
my application was developed in asp.net mvc 4. we have list of jobs.
now we have allowed all special characters in job name, but
</ characters causes issue in creating <a> anchor tag. I have also tried to create anchor tag with these character on w3schools.com example. I noticed the same thing.
for example, job name => Test </ Test
but it will render ONLY "Test" NOT "Test </ Test".
We are creating this link in "fnRowCallback" using javascript as it is listing of jobs and for that we have used jquery datatable http://legacy.datatables.net/.
Please help me, how to prevent the characters using regular expression on JobName model property.
Thanks in advance.
If you mean for the display part of the anchor tag, everything should be fine - you should be getting ASP.NET MVC to perform any escaping required to represent your text properly in HTML, e.g. using #Html.AnchorLink(...). It's far better to be able to escape everything than to have to restrict your input :)
In general, raw data should never be written directly to the HTML - it can represent a huge security risk, for example. It should always be handled with the appropriate escaping, which should almost always be performed by the web presentation framework you're using rather than by any hand-crafted code.
I am storing user generated html code in the database, but some of the codes are broken (without end tags), so when this code will mess up the whole render of the page.
How could I prevent this sort of behaviour with ruby on rails.
Thanks
It's not too hard to do this with a proper HTML parser like Nokogiri which can perform clean-up as part of the processing method:
bad_html = '<div><p><strong>bad</p>'
puts Nokogiri.fragment(bad_html).to_s
# <div><p><strong>bad</strong></p></div>
Once parsed properly, you should have fully balanced tags.
My google-fu reveals surprisingly few hits, but here is the top one :)
Valid Well-formed HTML
Try using the h() escape function in your erb templates to sanitize. That should do the trick
Check out Loofah, an HTML sanitization library based on Nokogiri. This will also remove potentially unsafe HTML that could inject malicious script or embed objects on the page. You should also scrub out style blocks, which might mess up the markup on the page.
I have a Perl program that is reading html tags from a text file. (im pretty sure this is working because when i run the perl program on the command line it prints out the HTML like it should be.)
I then pass that "html" to the web page as the return to an ajax request. I then use innerHTML to stick that string into a div.
Heres the problem:
all the text information is getting to where it needs to be. but the "<" ">" and "/" are getting stripped.
any one know the answer to this?
The question is a bit unclear to me without some code and data examples, but if it is what it vaguely sounds like, you may need to HTML-encode your text (e.g. using HTML::Entities).
I'm kind of surprized that's an issue with inserting into innerHTML, but without specific example, that's the first thing which comes to mind
There could be a mod on the server that is removing special characters. Are you running Apache? (I doubt this is what's happening).
If something is being stripped on the client-side, it is most likely in the response handler portion of the AJAX call. Show your code where you stick the string in the div.