search

coto / gae-boilerplate

Google App Engine Boilerplate
https://dev-dot-sandengine.appspot.com/
Other
685 stars 189 forks source link

Scrip injection is made easy. #211

Open kordless opened 11 years ago

kordless commented 11 years ago

Purpose

We don't want people launching projects which are succeptable to script injections. We should make it less easy to do so with GAEB.

Description

It appears the default behavior for Jinja2 is to have autoescape turned on. I ran a few tests on a default install of GAEB, and it appears strings are NOT being escaped for JavaScript! o_O

Given someone were to write a bit of code, like I'm doing for the blog module, it could become an issue and they might not realize it. Their software (and users) would become vunerable. FWIW the default install of GAEB doesn't immediately expose any issues because there are no written user-to-user interactions in the code. For example, I can't post content or a string and have others see it in the default deployment.

Task/Solution

Can someone start by poking around and give an assesment on why the (apparent) default behavior of Jinja2 is turned off?

kordless commented 11 years ago

It would appear Bleach is our best bet for this. Whitelisting tags is the way to roll in script injection prevention 101. https://github.com/jsocol/bleach

snvandoorn commented 10 years ago

In JINA2 documentation I found this - which indicates that escaping is not the default - for valuable reasons.

Why is Autoescaping not the Default? There are multiple reasons why automatic escaping is not the default mode and also not the recommended one. While automatic escaping of variables means that you will less likely have an XSS problem it also causes a huge amount of extra processing in the template engine which can cause serious performance problems. As Python doesn’t provide a way to mark strings as unsafe Jinja has to hack around that limitation by providing a custom string class (the Markup string) that safely interacts with safe and unsafe strings.

With explicit escaping however the template engine doesn’t have to perform any safety checks on variables. Also a human knows not to escape integers or strings that may never contain characters one has to escape or already HTML markup. For example when iterating over a list over a table of integers and floats for a table of statistics the template designer can omit the escaping because he knows that integers or floats don’t contain any unsafe parameters.

Additionally Jinja2 is a general purpose template engine and not only used for HTML/XML generation. For example you may generate LaTeX, emails, CSS, JavaScript, or configuration files.