Security issue: escaping is not contextual, potential XSS

[empijei]

Handlerbars currently escapes only based on one function and allows users to specify a custom one, but within a certain template execution it only uses one escaping mechanism.

This means that values interpolated in different contexts (html attributes, html text, script, style, urls) are all escaped in the same way, which is known to be a cause for XSS.

This makes tera inherently unsafe. You can read more about it here (please see "Strawman I: Non-contextual auto-sanitization").

This should either be:

• clearly documented (see the "least surprise" bits of the linked doc) so that devs are reminded to manually apply the extra escaping needed
• fixed by implementing contextual auto escaping (also described in that document)
• fixed by providing the current context to the custom user-implemented function and allow users to implement their own contextual auto escaping.

Contextual auto escaping is implemented in many safe templates like Java Soy, Python Soy, Angular templates, Go standard html/template and safehtml/template or Jinja2 (even though in Jinja2 is disabled by default) and others.

The TL;DR of the mechanism is to parse the HTML sources, understand the context that user data is being interpolated in and pick the appropriate escaping function accordingly.

[sunng87]

Thanks for the great insight.

Soy template seems to have the contextautoesc module as an example. I will definitely look into this.