11 lines
1.1 KiB
Plaintext
11 lines
1.1 KiB
Plaintext
To reduce the risk of cross-site scripting attacks, templating systems, such as ``++Twig++``, ``++Django++``, ``++Smarty++``, ``++Groovy's template engine++``, allow configuration of automatic variable escaping before rendering templates. When escape occurs, characters that make sense to the browser (eg: <a>) will be transformed/replaced with escaped/sanitized values (eg: & lt;a& gt; ).
|
|
|
|
|
|
Auto-escaping is not a magic feature to annihilate all cross-site scripting attacks, it depends on https://twig.symfony.com/doc/3.x/filters/escape.html[the strategy applied] and the context, for example a "html auto-escaping" strategy (which only transforms html characters into https://developer.mozilla.org/en-US/docs/Glossary/Entity[html entities]) will not be relevant when variables are used in a https://en.wikipedia.org/wiki/HTML_attribute[html attribute] because \'``++:++``' character is not escaped and thus an attack as below is possible:
|
|
|
|
|
|
----
|
|
<a href="{{ myLink }}">link</a> // myLink = javascript:alert(document.cookie)
|
|
<a href="javascript:alert(document.cookie)">link</a> // JS injection (XSS attack)
|
|
----
|