Context-aware HTML Templates

Issac Dawson, Security Researcher:

The built in templating features [of Go] automatically encode by intelligently parsing the template and encoding dynamic values depending on where with in the template the output is to be rendered.

I don’t know that Go is the first language to do this, but it’s insanely cool. Not only does the template library grok HTML, but it also understands HTML’s mongrel “tag-soup and hey, how about a dab of Javascript, and how about a glob of CSS over here?” It understands it well enough to escape template output in whatever context you stick it.

… Not only that, it is all done automatically. No explicit calls to encodeJS or htmlentities or any of that other stuff we as security professionals commonly recommend our customers to use.

I’m not going to promise “No XSS ever if you use Go templates!” but… DANG. Seems like we’ve maybe been going after the wrong problems with template languages. It’s not so much about syntax, they pretty much all use some variation of {{ Jinja or mustache }} nowadays. But automatic context-aware filtering?!? DUDE.

http://www.veracode.com/blog/2013/12/golangs-context-aware-html-templates/

   published: 2013-12-07
   topics: 
unfiled