BorisMoore
commented
13 years ago Thanks Jonathan. Makes sense, and I will be looking at fixing this within Beta2
Open BorisMoore opened 13 years ago
BorisMoore
commented
13 years ago Thanks Jonathan. Makes sense, and I will be looking at fixing this within Beta2
BorisMoore
commented
13 years ago Including encoding of & needs to be addressed in a way that reduces the risk of over-encoding. The following proposal from Mike Samuel (from an email exchange) is relevant here:
The minimal change that solves the immediate problem of XML is to do
.replace(/&(?!(?:amp|lt|gt|quot|#(?:x[0-9a-f]{0,6}|[0-9]{0,8}));)/gi, '&')or the split and join equivalent.
That will not over-escape the XML predefined entities, but will over-escape ü and the like.
In general, I think the best solution is what I outlined at http://js-quasis-libraries-and-repl.googlecode.com/svn/trunk/safetemplate.html#sanitized_content_types
""" Finally, once a bug has been identified, we try to make sure there are simple bugfixing recipes.
...
Sanitized content allows template users to pre-sanitize some content, and allow approved structured content.
new SanitizedContent('<b>Hello, World!</b>') specifies a chunk of HTML that the creator asserts is safe to embed in HTML PCDATA.
It is possible for misuse of this feature to violate all the safety properties contextual auto-sanitization provides. We assert that allowing this makes it easier to migrate code that has no XSS safety net to a better place, and satisfies some compelling use cases including HTML translated into foreign languages by trusted translators, and HTML from tag whitelisters, wiki-text-to-html converters, rich text editors. But it needs to be used carefully. Developers should:
Don't roll your own escapers and deprecate ones in existing code. This does not apply to filters. Filter early, and filter often. Put the sanitized content type constructor as close to the code that does the sanitization. Don't use tag or attribute black-lists. Be skeptical of "safe" HTML from a database. This is a vector for SQL Injection to turn into XSS. """
rdworth
commented
13 years ago Thanks for taking the time to submit this issue. Just wanted to let you know this plugin is no longer being actively developed or maintained by the jQuery team. See README for more info.
BorisMoore
commented
13 years ago Improved encoding support is coming in JsRender, See post for more context.
geekbuntu
commented
13 years ago is there an escape char for html safe tmpl output? i have a form i want to include, the form renders in firebug under the json tab, but will not inside the template. tia, greg
Issue copied from Trac: http://bugs.jquery.com/ticket/7199:
Templating plugin doesn't encode '&' character. When I have following text in data object: ' ', templating plug-in renders whitespace instead of this string.
jquery.tmpl.js contains following comment in 'encode' function: Do HTML encoding replacing < > & and ' and " by corresponding entities. But no manipulation with '&' character exists: return ("" + text).split("<").join("<").split(">").join(">").split('"').join(""").split("'").join("'");
I've uploaded a testcase (reduced) at http://jonathan.protzenko.free.fr/jquery-tmpl/t.xhtml .
The thing is, simply using ${t} within the template when t = "&" makes the ultimate .innerHTML call fail, because ampersands simply are not encoded properly. When the document happens to be XML, this is fatal. This is especially painful for XML+XHTML documents, because that makes the whole thing a syntax error, and the templating fails.
As a side note, I have a very good reason for using strict XML, so switching to a non-XML document is not a solution.