XSS and Alternate Template Engines

rubyonrails-core
1

Hi folks,

I'm the maintainer of Haml, and I've been hearing all about the new on- by-default XSS protection stuff. I'm wondering what your plan for compatibility with alternate templating engines is. I'd really appreciate not having to come up with all sorts of alternate compilation paths for Rails code with XSS protection enabled - this would make the code much more brittle, and apt to break in odd Rails- specific ways that will be hard for users to understand and hard for me to track down.

- Nathan Weizenbaum

2

I'm the maintainer of Haml, and I've been hearing all about the new on- by-default XSS protection stuff. I'm wondering what your plan for compatibility with alternate templating engines is. I'd really appreciate not having to come up with all sorts of alternate compilation paths for Rails code with XSS protection enabled - this would make the code much more brittle, and apt to break in odd Rails- specific ways that will be hard for users to understand and hard for me to track down.

Your templating engine should continue to work 100% without any errors. The 'escape-me' behaviour is limited to the erb template handler (builder already does this obviously).

If you *want* on by default escaping you'll just need to work with an ActionView::SafeBuffer instead of a string.

The only surprise you could get is if you use with_output_buffer and *don't* pass it a buffer, in that case it'll now default to a safe buffer.

3

Koz,

The problem is that we’re telling people that XSS is on by default, when using an alternate template engine drives a big truck through that firewall.

We need a simple API for alternate template engines opting in to this behavior. Nathan, what about the current APIs is too cumbersome for your needs?

Koz, Any thoughts on how we might make it easier to opt in? What about a dev. mode warning if you’re using a template engine that doesn’t escape?

– Yehuda

4

Koz, The problem is that we're telling people that XSS is on by default, when using an alternate template engine drives a big truck through that firewall.

There's no way to avoid this, template engines maintain their own buffer which we have no control over.

Koz, Any thoughts on how we might make it easier to opt in? What about a dev. mode warning if you're using a template engine that doesn't escape?

The only way we could detect this is if a render call returned something other than a SafeBuffer and was an engine other than builder. I think you're making more out of this than you need to, alternative engines such as ones which generate pdfs or other non-html formats have nothing to do with this.

I'd be happy if we rejigged the marketing message to say "erb and builder templates are xss safe" but that seems needless hesitation. It's trivial for other templates to opt in, and I say we just encourage them to.

5

Maybe a simple wiki page with a table listing the currently supported template engines and it's features is enough. One of these features would obviously be "XSS safe"

6

Maybe a simple wiki page with a table listing the currently supported template engines and it's features is enough. One of these features would obviously be "XSS safe"

> Koz, > The problem is that we're telling people that XSS is on by default, when > using an alternate template engine drives a big truck through that firewall.

There's no way to avoid this, template engines maintain their own buffer which we have no control over.

> Koz, Any thoughts on how we might make it easier to opt in? What about a > dev. mode warning if you're using a template engine that doesn't escape?

The only way we could detect this is if a render call returned something other than a SafeBuffer and was an engine other than builder. I think you're making more out of this than you need to, alternative engines such as ones which generate pdfs or other non-html formats have nothing to do with this.

I'd be happy if we rejigged the marketing message to say "erb and builder templates are xss safe" but that seems needless hesitation. It's trivial for other templates to opt in, and I say we just encourage them to.

Uhm, but all templating engines have their own way of handling. Haml escapes by default in its latest releases, right? (I've been out of touch for a long while) Or is it a setting? (in which case, it could be turned on by default on rails)

-foca