Beefy Boxes and Bandwidth Generously Provided by pair Networks
Keep It Simple, Stupid

Comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

Greetings wise brothers, I seek your wisdom in the matter of how to prevent our carelessness from allowing the forces of darkness to infect our domains with evil so that innocent visitors are not infected with that evil.

Specifically I want to automatically prevent at least one vector for Cross-site_scripting attacks on a website.


I am working on a website project, using Dancer with Template Toolkit. The templates are maintained by a separate design team who are not coders, but are good at making the site look aesthetically pleasing.

In order to reduce the chance of XSS on the website we have decided that all that variables interpolated by TT2 must be escaped via a suitable filter (html, html_entity, uri, url or xml). The problem is that people tend to forget to do that when writing templates, and it is not obvious that anything is wrong because for normal input variables the template works fine.

I have already searched the monastery and other places and found that it is not possible to configure TT2 to pass all variables through a filter when interpolating them, so I am looking for some way to check templates to ensure that all variable interpolation includes a suitable filter. Up until now this check has been done manually during code review, but it is tedious and prone to error, so we would like to automate the process. I am hopping to put such a check as a commit trigger in git, and as as unit test on the whole codebase, so that it is hard to commit an unsafe template into git, and if one sneaks in anyway it will get detected by the automatic unit tests and not merged.

Possible solutions:

It looks like it should be fairly straightforward to write an imperfect checking script using basic regular expressions that simply looks for variables in [% %] tags that don't start with a control directive IF, FOREACH etc, or end with | html but that would generate a fair few false errors, and require ongoing maintenance.

Alternatively it looks like I could dig deeply into TT2's parser, compiler and document model to find every instance of where a variable is interpolated, and check if it passes through a filter before appearing in the output. That approach would be much more reliable, but would represent at least a week of work, that I don't want to spend on this particular problem.

Can the monastery suggest a way forward. Is there a testing script or module out there that I have not found?

One thing I can't do is switch to a different templating system that supports automatic filters. I am aware of alternatives such as Text::Xslate, and how they can automatically escape html, are much faster and some even have TT2 like syntax. The problem is that the design department only knows TT2, they don't want to learn anything else, and they will push back hard against any attempt to change.

In reply to How to test all TT2 tags are escaped. by chrestomanci

Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":

  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?

    What's my password?
    Create A New User
    Jar. Jar!...

    How do I use this? | Other CB clients
    Other Users?
    Others examining the Monastery: (6)
    As of 2018-08-14 17:27 GMT
    Find Nodes?
      Voting Booth?
      Asked to put a square peg in a round hole, I would:

      Results (153 votes). Check out past polls.