Menu
While reading about the Closure Templates I encountered the following statement:
Closure Templates are contextually autoescaped to reduce the risk of XSS.
As far as I know escaping is removing ambiguity in the input string as described here.
I am not sure what really that means, perhaps an explanation with real world example would be really helpful.
854
Auto Escape is an optional mode of execution in the Template System developed to provide a better defense against cross-site scripting (XSS) in web applications.
autoescape. Controls the current auto-escaping behavior. This tag takes either on or off as an argument and that determines whether auto-escaping is in effect inside the block. The block is closed with an endautoescape ending tag.
There's more detail on security and autoescaping at this page of the Closure Templates documentation. In particular, look at the example given here.
You will see that an input, {$x} is escaped differently depending on where it is to be inserted in the template output (e.g. in HTML, JavaScript, CSS etc.) This is what is meant by contextual (i.e. context-dependent) autoescaping.
As described in the documentation:
- When
{$x}appeared inside HTML text, we entity-encoded it (< →<).- When
{$x}appeared inside a URL or as a CSS quantity, we rejected it because it had a protocoljavascript:that was nothttporhttps, and instead output a safe value#zSoyz. Had{$x}appeared in the query portion of a URL, we would have percent-encoded it instead of rejecting it outright (< → %3C).- When
{$x}appeared in JavaScript, we wrapped it in quotes (if not already inside quotes) and escaped HTML special characters (< → \x3c).- When
{$x}appeared inside CSS quotes, we did something similar to JavaScript, but using CSS escaping conventions (< → \3c ).The malicious output was defanged.
73
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
