Project

General

Profile

Feature #8000

Use XML parser for WTemplate rendering instead of simple text subsitution

Added by Roel Standaert 6 months ago. Updated 6 months ago.

Status:
New
Priority:
Normal
Assignee:
-
Target version:
Start date:
01/27/2021
Due date:
% Done:

0%

Estimated time:

Description

Right now, we're doing a simple find and replace when writing out the template text of WTemplate.

However, if we properly use an XML parser, we can do things like:

  • Strip comments
  • Do context sensitive escaping: right now we always assume variables are in the text body. However, users may use them inside of attributes like this <a href="${var}"></a>. This should be properly escaped as an attribute. Sometimes users may be tempted to use this with untrusted text and cause XSS issues.

It would also be nice to be able to do the following, but they're more advanced, and are actually not really possible within the current API because of the virtual functions of WTemplate:

  • Partial template updates when conditions change (we can't really know when they change when conditionValue(...) is overridden, and even templateText() is virtual)
  • Retrieve a list of all variables in the template
  • Enforce the rule that widgets only occur once in a template

The encode() function can be rolled into this, instead of having multiple passes.

#1

Updated by Korneel Dumon 6 months ago

Regarding the example, the href attribute cannot be easily escaped to protect against XSS.
In this case, a possibility is to remove it or allow a user to bind an UnsafeXHTML string (which they then have to escape themselves).

https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#xss-prevention-rules-summary

Also available in: Atom PDF