mikesamuel
commented
4 years ago @gibson042 @bathos @jridgewell
I put together an example.
I've done some other work on tag functions that mark their output as trusted based on assumptions about the provenance of tag template inputs include:
- safesql which aims to address SQL Injection.
- sh-template-tag which aims to address Shell Injection.
- pug-template-tag which uses a plugin to contextually auto-escape pug templates
Those are based on the outcome of the "Node Security Roadmap" discussion of Structured Strings
bathos
Fix #12
This does not meet @gibson042's requirement:
but as explained on the issue, I think that's the wrong standard.
If we can assume some mechanism to solve provisioning, getting a sensitiveOperation to a tag function without providing it to all the tag function's potential callers, then an unbypassable isTemplateObject check can provide value.
Trusted Types has provisioning machinery, so the example uses that.