Mako's "default_filters"'s default value should protect against XSS

[abourget]

We should have Mako's "mako.default_filters" be set to 'h' by default in settings.. or at least documented ear the areas where we explain how to tie in Mako to Pyramid, and explain the implications (XSS attacks.. and why not a link to owasp: https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) ). We could also note that we can reverse the process with ${something|n}.. when we explicitly want to render HTML and we trust the source.

It seems to be the default in Chameleon, but Mako templates are left behind :)

[mmerickel]

Pylons does this using webhelpers.html.escape as the default filter in its configuration.

http://sluggo.scrapping.cc/python/WebHelpers/modules/html/builder.html

Is there a way we can do this without adding webhelpers as a dependency?

[virhilo]

the 'h' filter as abourget says: http://www.makotemplates.org/docs/filtering.html#expression-filtering it using markupsafe.escape

[mmerickel]

Ugh not sure why I went straight to the Pylons code for this... I just knew it did it in the paster templates.

[marcinkuzminski]

Just a note on this issue.

During porting of code we noticed that None from pylons is not converted to empty string in Pyramid. This is small difference between default filters in pylons vs pyramid ones. In pylons the default escape filters also converted None to empty string

Maybe it will help someone in future to avoid problems

[mmerickel]

@marcinkuzminski The best exposure for this is probably in the pylons part of the pyramid cookbook.

[marcinkuzminski]

Good idea, if we find time we'll contribute our filter used now for backport:

import markupsafe

def h_filter(s):
    """
    Custom filter for Mako templates. Mako by standard uses `markupsafe.escape`
    we wrap this with additional functionality that converts None to empty
    strings
    """
    if s is None:
        return markupsafe.Markup()
    return markupsafe.escape(s)

[stevepiercy]

In the cookbook, we have this under Templates for Pyramid: https://docs.pylonsproject.org/projects/pyramid_cookbook/en/latest/templates/templates.html#rendering-none-as-the-empty-string-in-mako-templates

And under Pylons, Templates: https://docs.pylonsproject.org/projects/pyramid_cookbook/en/latest/pylons/templates.html

Maybe in the latter add a sentence with a link to the former?

[mmerickel]

Good catch. It looks like the right solution @stevepiercy. @marcinkuzminski does escape_silent work for you?

[marcinkuzminski]

@stevepiercy ohh, i missed that. It's exactly the thing we have been looking for. Somehow i couldn't find it easily.

@mmerickel escape_silent is exactly what our function does.

[stevepiercy]

@marcinkuzminski where were you looking? I can add a sentence and link as I suggested above, as well as any other place that Pylons-to-Pyramid developers might be looking.

[marcinkuzminski]

@stevepiercy mostly google, i totally forgot about the cookbook probably now i'd search there first.

[ghost]

I'm looking at Mako for the first time, and noticed that the security-oriented linter Bandit warns about use of Mako. Is this warning still true or should the warning be removed on Bandit?

Unlike Jinja2 (an
alternative templating system), Mako has no environment wide variable escaping
mechanism. Because of this, all input variables must be carefully escaped
before use to prevent possible vulnerabilities to Cross Site Scripting (XSS)
attacks.
:Example:
.. code-block:: none
    >> Issue: Mako templates allow HTML/JS rendering by default and are
    inherently open to XSS attacks. Ensure variables in all templates are
    properly sanitized via the 'n', 'h' or 'x' flags (depending on context).
    For example, to HTML escape the variable 'data' do ${ data |h }.
       Severity: Medium   Confidence: High
       Location: ./examples/mako_templating.py:10
    9
    10  mako.template.Template("hern")
    11  template.Template("hern")

https://github.com/PyCQA/bandit/blob/02bad2e42311f420aef52dcd9806d66516ef594d/bandit/plugins/mako_templates.py#L72

[digitalresistor]

Mako is not shipped with pyramid anymore, nor does pyramid have a "default" rendering engine. pyramid_mako exists for those that want to use mako templates with Pyramid.

That being said, it is entirely possible that you are using mako templating insecurely, that is not something that we can conclusively say anything about.

Mako however DOES support default filters, see https://docs.makotemplates.org/en/latest/filtering.html#the-default-filters-argument. Can you use Mako insecurely, yes, can you use it securely, also yes.