|No such thing as a small change|
How to test all TT2 tags are escaped.by chrestomanci (Priest)
|on Oct 28, 2013 at 11:21 UTC||Need Help??|
chrestomanci has asked for the
wisdom of the Perl Monks concerning the following question:
Greetings wise brothers, I seek your wisdom in the matter of how to prevent our carelessness from allowing the forces of darkness to infect our domains with evil so that innocent visitors are not infected with that evil.
Specifically I want to automatically prevent at least one vector for Cross-site_scripting attacks on a website.
I am working on a website project, using Dancer with Template Toolkit. The templates are maintained by a separate design team who are not coders, but are good at making the site look aesthetically pleasing.
In order to reduce the chance of XSS on the website we have decided that all that variables interpolated by TT2 must be escaped via a suitable filter (html, html_entity, uri, url or xml). The problem is that people tend to forget to do that when writing templates, and it is not obvious that anything is wrong because for normal input variables the template works fine.
I have already searched the monastery and other places and found that it is not possible to configure TT2 to pass all variables through a filter when interpolating them, so I am looking for some way to check templates to ensure that all variable interpolation includes a suitable filter. Up until now this check has been done manually during code review, but it is tedious and prone to error, so we would like to automate the process. I am hopping to put such a check as a commit trigger in git, and as as unit test on the whole codebase, so that it is hard to commit an unsafe template into git, and if one sneaks in anyway it will get detected by the automatic unit tests and not merged.
It looks like it should be fairly straightforward to write an imperfect checking script using basic regular expressions that simply looks for variables in [% %] tags that don't start with a control directive IF, FOREACH etc, or end with | html but that would generate a fair few false errors, and require ongoing maintenance.
Alternatively it looks like I could dig deeply into TT2's parser, compiler and document model to find every instance of where a variable is interpolated, and check if it passes through a filter before appearing in the output. That approach would be much more reliable, but would represent at least a week of work, that I don't want to spend on this particular problem.
Can the monastery suggest a way forward. Is there a testing script or module out there that I have not found?
One thing I can't do is switch to a different templating system that supports automatic filters. I am aware of alternatives such as Text::Xslate, and how they can automatically escape html, are much faster and some even have TT2 like syntax. The problem is that the design department only knows TT2, they don't want to learn anything else, and they will push back hard against any attempt to change.