Currently Textpattern uses bit strange encoding methods choices for different
data types. These encoding methods do the most important job which to prevent
straight out XSS in HTML context, but don't exactly generate proper output.
The function that is thrown almost in any situation is txpspecialchars() (i.e.
htmlspecialchars()), even in cases where it's not the proper tool.
txpspecialchars() should be used only for HTML documents. For situations such
as:
- Any HTML attribute value should be prepared with it (where it doesn't cause
any conflicts).
- Plain-text strings presented in HTML documents.
But excluding:
- query parameters in attributes such as 'src' and 'href'. Those should use
proper URL encoding OR not encoding at all, leaving the responsibility for the
use-case.
- Anything JavaScript.
JavaScript strings should be prepared with either:
- escape_js()
- json_encode()
This depends on what the value is for and from where. If the value needs to be
encoded for HTML too, then the value needs to be passed BOTH txpspecialchars()
and escape_js()/json_encode().
Of course use of txpspecialchars() is almost never needed since the value is
for JavaScript and not HTML. JavaScript side should handle the values correctly
from the start. If there are XSS issue spawning from JavaScript, it should be
fixed in JavaScript. Not by passing incorrectly encoded values for JavaScript.
URLs:
- URLs, and query strings specifically, for the most part should not be touched
with none of those. Just urlencoding or nothing. Encoding it for HTML encodes
it for HTML, not for query string.
Original issue reported on code.google.com by jukka.m.svahn on 26 Oct 2012 at 9:35
Original issue reported on code.google.com by
jukka.m.svahn
on 26 Oct 2012 at 9:35