google / py-html-contextual-escaping Goto Github PK
View Code? Open in Web Editor NEWAutomatically exported from code.google.com/p/py-html-contextual-escaping
py-html-contextual-escaping's Introduction
<!doctype html> <html> <head> <meta encoding="utf-8"> <title>Py HTML Contextual Autoescaping</title> <script src="https://google-code-prettify.googlecode.com/svn/loader/run_prettify.js"></script> </head> <body> <h1>A contextual autoescaper for HTML</h1> <h2>Runtime auto-escaping</h2> <p>If analysis can't be done when a template is compiled, this module provides a file-like object that provides two methods:</p> <pre class="prettyprint"> write_safe(**strings) # Called with strings that appear in template write(**values) # Called with values supplied by caller at runtime </pre> <p>so that the sequence of calls generated by a template</p> <pre class="prettyprint"> <b><i>{{ x }}</i></b> <button onclick=foo(<i>{{ y }}</i>)> </pre> produce <pre class="prettyprint"> w.write_safe('<b>') w.write('I <3 Ponies!') w.write_safe('</b>\n<button onclick=foo(') w.write({'foo': 'bar', '"baz"': 42}) w.write_safe(')>') </pre> <p>results in the output</p> <pre class="prettyprint"> <b>I &lt;3 Ponies!</b> <button onclick="foo({&#34;foo&#34;:&#34;\x22bar\x22&#34;:42})"> </pre> <p> The safe parts are treated as literal chunks of HTML/CSS/JS, and the unsafe parts are escaped to preserve security and least-surprise. For a more comprehensive example, a template like </p> <pre class="prettyprint"> <div style="color: {{user.color}}"> <a href="/{{user.color}}?q={{$user.world}}" onclick="alert('{{helper(user)}}');return false"> {{helper(user)}} </a> <script>(function () { // Sleepy developers put sensitive info in comments. var o = {{user}}, w = "{{user.world}}"; })();</script> </div> {{template helper}} Hello, {{user.world}} {{/template}} </pre> <p>might correspond to the sequence of calls</p> <pre class="prettyprint"> # Dummy input values. user = { "world": "<Cincinatti>", "color": "blue" } color = user["color"] world = user["world"] # Alternating safe and unsafe writes that implement the template. w.write_safe("<div style=\"color: ") w.write (color) w.write_safe("\">\n<a href=\"/") w.write (color) w.write_safe("?q=") w.write (world) w.write_safe("\"\n onclick=\"alert('") helper (w, user) w.write_safe("');return false\">\n ") helper (w, user) # Helper called in a different context w.write_safe("\n </a>\n <script>(function () {\n var o = ") w.write (user) w.write_safe(",\n w = \"") w.write (world) w.write_safe("\";\n })();</script>\n</div>") </pre> <p>which result in the output</p> <pre class="prettyprint"> <div style="color: blue"> <a href="/blue?q=%3cCincinatti%3e" onclick="alert('Hello, \x3cCincinatti\x3e!');return false"> Hello, <Cincinatti>! </a> <script>(function () { var o = {"Color":"blue","World":"\u003cCincinatti\u003e"}, w = "\x26lt;Cincinatti\x26gt;"; })();</script> </div> </pre> <h2>Static auto-escaping</h2> <p>If a template system's call-graph is readily statically analyzable, the <tt>escape</tt> module can be used to propagate context and pick an escaper for each interpolation of an untrusted value into the template output. </html>
py-html-contextual-escaping's People
Contributors
Stargazers
Watchers
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.