fhd
commented
7 years ago Thanks! Sorry for letting this sit so long :disappointed: You're right, the escaping logic is a bit naive, I've added an issue for rethinking it: #53.
Closed jimmythompson closed 7 years ago
fhd
commented
7 years ago Thanks! Sorry for letting this sit so long :disappointed: You're right, the escaping logic is a bit naive, I've added an issue for rethinking it: #53.
Using a moustache inside a HTML attribute wrapped with single quotes will allow a user to execute malicious JavaScript because Clostache doesn't escape single quotes.
Example:
<a href='/user/{{username}}'>{{username}}</a>can be easily escaped ifusernamewas set tofoo' onmouseover='alert(1).We should also be escaping more characters due to the crazy nature in which people can write renderable HTML, but single quoted attributes is a pretty common thing.
Reference: http://wonko.com/post/html-escaping