Thread overview | |||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
July 06, 2020 Html escaping for security: howto in D? | ||||
---|---|---|---|---|
| ||||
Hello (I am a newbie to dlang) What's the recommended way to escape user input when outputting html? intent: to stop XSS/etc, see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html thanks in advance! Fitz |
July 06, 2020 Re: Html escaping for security: howto in D? | ||||
---|---|---|---|---|
| ||||
Posted in reply to Fitz | On Monday, 6 July 2020 at 11:56:17 UTC, Fitz wrote: > Hello (I am a newbie to dlang) > > What's the recommended way to escape user input when outputting html? > > intent: to stop XSS/etc, see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html > > thanks in advance! > > Fitz looks like this forum uses https://github.com/CyberShadow/ae/blob/master/utils/text/html.d to do escaping. This code only escape 4/6 characters, not these: ' --> ' / --> / which looks risky?, if its storeed in "$encode", given <div class='$encoded'>hello, world</div> then $encode="blue' onclick='alert()" results in: <div class='blue' onclick='alert()'>hello, world</div> could be nasty |
July 06, 2020 Re: Html escaping for security: howto in D? | ||||
---|---|---|---|---|
| ||||
Posted in reply to Fitz | On Monday, 6 July 2020 at 12:26:01 UTC, Fitz wrote:
> looks like this forum uses https://github.com/CyberShadow/ae/blob/master/utils/text/html.d to do escaping. This code only escape 4/6 characters, not these:
> ' --> '
> / --> /
> which looks risky?, if its storeed in "$encode", given
> <div class='$encoded'>hello, world</div>
> then
> $encode="blue' onclick='alert()"
> results in:
> <div class='blue' onclick='alert()'>hello, world</div>
> could be nasty
If you don't escape single quotes, then don't use single quotes to delimit attributes.
I fixed the function to also escape single quotes. Thanks for the report. But, I think you should look at Vibe.d or Hunt for a more complete framework.
|
July 06, 2020 Re: Html escaping for security: howto in D? | ||||
---|---|---|---|---|
| ||||
Posted in reply to Vladimir Panteleev | On Monday, 6 July 2020 at 12:39:42 UTC, Vladimir Panteleev wrote:
> On Monday, 6 July 2020 at 12:26:01 UTC, Fitz wrote:
>> looks like this forum uses https://github.com/CyberShadow/ae/blob/master/utils/text/html.d to do escaping. This code only escape 4/6 characters, not these:
>> ' --> '
>> / --> /
>> which looks risky?, if its storeed in "$encode", given
>> <div class='$encoded'>hello, world</div>
>> then
>> $encode="blue' onclick='alert()"
>> results in:
>> <div class='blue' onclick='alert()'>hello, world</div>
>> could be nasty
>
> If you don't escape single quotes, then don't use single quotes to delimit attributes.
>
> I fixed the function to also escape single quotes. Thanks for the report. But, I think you should look at Vibe.d or Hunt for a more complete framework.
thank you! I'll have a look at them to see what they provide
|
July 06, 2020 Re: Html escaping for security: howto in D? | ||||
---|---|---|---|---|
| ||||
Posted in reply to Fitz | On Monday, 6 July 2020 at 11:56:17 UTC, Fitz wrote: > Hello (I am a newbie to dlang) > > What's the recommended way to escape user input when outputting html? > > intent: to stop XSS/etc, see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html > > thanks in advance! > > Fitz So in D you'll have to do multiple things. The first one is using some kind of stripTags() as available PHP. I had it in me some time ago to create such a collection of handy utilities...a very long long time ago...two yrs 😜. See https://code.dlang.org/packages/sanival for stripTags() Its a very limited implementation and uses std.regex which many people here who are critical about performance will speak against. I'm yet to see an alternative. So you could use that if you don't find a better alternative. That's just the first step. The second would be to use prepared statements in whatever database you use if it's vulnerable to such attacks.. SQL injection for instance. Not all databases are. Third will be to have a server-side validation function which checks for unexpected characters/tags and issue an error to the users. You should probably do the third one first 😀 You could go as deep as you want. But those are how I might do it. |
July 06, 2020 Re: Html escaping for security: howto in D? | ||||
---|---|---|---|---|
| ||||
Posted in reply to Fitz | On Monday, 6 July 2020 at 11:56:17 UTC, Fitz wrote: > Hello (I am a newbie to dlang) > > What's the recommended way to escape user input when outputting html? > > intent: to stop XSS/etc, see https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html > > thanks in advance! > > Fitz stripTags() is for when you want to leave other safe tags in comments. If you want to completely removed all tags, https://code.dlang.org/packages/plain might be better. |
July 07, 2020 Re: Html escaping for security: howto in D? | ||||
---|---|---|---|---|
| ||||
Posted in reply to aberba | On Monday, 6 July 2020 at 14:57:22 UTC, aberba wrote: > utilities...a very long long time ago...two yrs 😜. See https://code.dlang.org/packages/sanival for stripTags() > Its a very limited implementation and uses std.regex which many people here who are critical about performance will speak against. I'm yet to see an alternative. So you could use that if you don't find a better alternative. > Can't see stripTags? in https://code.dlang.org/packages/sanival |
July 07, 2020 Re: Html escaping for security: howto in D? | ||||
---|---|---|---|---|
| ||||
Posted in reply to aberba | On Monday, 6 July 2020 at 15:13:30 UTC, aberba wrote: > If you want to completely removed all tags, https://code.dlang.org/packages/plain might be better. seems overkill, just implemented something simple: // https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html string encodeSafely(string input) { auto w = appender!string; foreach (c; input) { switch (c) { case '&': w ~= "&"; break; case '<': w ~= "<"; break; case '>': w ~= ">"; break; case '"': w ~= """; break; case '\'': w ~= "'"; break; case '/': w ~= "/"; break; default: w ~= c; break; } } return w[]; } |
July 07, 2020 Re: Html escaping for security: howto in D? | ||||
---|---|---|---|---|
| ||||
Posted in reply to Fitz | On Tuesday, 7 July 2020 at 17:59:21 UTC, Fitz wrote:
> On Monday, 6 July 2020 at 15:13:30 UTC, aberba wrote:
>
>> If you want to completely removed all tags, https://code.dlang.org/packages/plain might be better.
>
> seems overkill, just implemented something simple:
> // https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
> string encodeSafely(string input) {
> auto w = appender!string;
>
> foreach (c; input) {
> switch (c) {
> case '&':
> w ~= "&";
> break;
> case '<':
> w ~= "<";
> break;
> case '>':
> w ~= ">";
> break;
> case '"':
> w ~= """;
> break;
> case '\'':
> w ~= "'";
> break;
> case '/':
> w ~= "/";
> break;
> default:
> w ~= c;
> break;
> }
> }
>
> return w[];
> }
There is no reason to escape / and it might break some parsers for links etc. You should only escape <, >, &, " and '
|
July 07, 2020 Re: Html escaping for security: howto in D? | ||||
---|---|---|---|---|
| ||||
Posted in reply to bauss | On Tuesday, 7 July 2020 at 18:30:38 UTC, bauss wrote:
> On Tuesday, 7 July 2020 at 17:59:21 UTC, Fitz wrote:
>> On Monday, 6 July 2020 at 15:13:30 UTC, aberba wrote:
>>
>>> If you want to completely removed all tags, https://code.dlang.org/packages/plain might be better.
>>
>> seems overkill, just implemented something simple:
>> // https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
>> string encodeSafely(string input) {
>> auto w = appender!string;
>>
>> foreach (c; input) {
>> switch (c) {
>> case '&':
>> w ~= "&";
>> break;
>> case '<':
>> w ~= "<";
>> break;
>> case '>':
>> w ~= ">";
>> break;
>> case '"':
>> w ~= """;
>> break;
>> case '\'':
>> w ~= "'";
>> break;
>> case '/':
>> w ~= "/";
>> break;
>> default:
>> w ~= c;
>> break;
>> }
>> }
>>
>> return w[];
>> }
>
> There is no reason to escape / and it might break some parsers for links etc. You should only escape <, >, &, " and '
Oh and control characters (basically anything not tabs below space in ASCII)
|
Copyright © 1999-2021 by the D Language Foundation