Menu
Shopify automatically escapes values if they are used in not safe way, but I have not found this feature in liquid gem.
Example:
template: <div data="{{ user_name }}">{{ user_name }}</div>
user_name: '" onclick="alert(\'XSS\')'
Shopify renders it as:
<div data="" onclick="alert('XSS')"">" onclick="alert('XSS')"</div>
Liquid gem renders it as:
<div data="" onclick="alert('XSS')">" onclick="alert('XSS')"</div>
Ruby code:
markup = '<div data="{{ user_name }}">{{ user_name }}</div>'
template = Liquid::Template.parse(markup)
template.render!('user_name' => '" onclick="alert(\'XSS\')')
How does Shopify do it?
I know that there is escape filter in liquid or I can escape values on back-end. But Shopify's solution looks safer: you don't get XSS vulnerability if forget to encode a value and code looks cleaner: {{ value }} instead of {{ value | encode }}
Thank you
224
In your Shopify store, static elements are written in HTML, and dynamic elements are written in Liquid.
Liquid is an open-source template language created by Shopify and written in Ruby. It is the backbone of Shopify themes and is used to load dynamic content on storefronts. Liquid has been in production use at Shopify since 2006 and is now used by many other hosted web applications.
I am not sure how it is "exactly done", but in the Shopify rendered output it seems that user_name was html escaped.
87
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
