I am working on an issue raised by the security team about a possible XSS attack on a few input fields on our form. Our freemarker page has the following code.
<#assign zipcode = someObject.getInfo().getZipCodeFirstFive()>
I read up on HTML encoding and it talks about adding ?html at the end but I couldn't find the freemarker syntax anywhere. So, could I do something like
<#assign zipcode = (someObject.getInfo().getZipCodeFirstFive())?html>
to make it output encoded?
Yes, that would be a possible syntax for this, though I would recommend two things to make it more readable:
You don't need the extra (), you can just write someObject.getInfo().getZipCodeFirstFive()?html
It's unrelated to escaping, but you don't need to write out getters either, so you end up with someObject.info.zipCodeFirstFive?html
On the longer term, I would recommend escaping by default. Before 2.3.24 that's done by surrounding each template by <#escape x as x?html>...</#escape>. Starting from 2.3.24 the recommended methods is auto-escaping set up globally, in the Configuration.
Related
I’m using the new TYPO3\CMS\Core\Mail\FluidEmail feature of TYPO3 v10.3 to send HTML system e-mails. Unfortunately, I’m experiencing a weird behavior with Viewhelpers in the e-mail Templates. Calling the regular Viewhelper notation like e.g. <f:uri.resource extensionName="backend" path="Images/typo3_orange.svg"/> works as expected. But inline notations of the same Viewhelper (like {f:uri.resource(extensionName: 'backend', path: 'Images/typo3_orange.svg')}) don’t get processed at all.
Surprisingly, when I call the regular notation first and the inline notation afterwards in the same template, both notations get resolved.
I also experienced that no fluid variables are accessible in the template, e.g. {normalizedParams}, which should be available when you set the request like $message->setRequest($GLOBALS['TYPO3_REQUEST']);
Did anyone experience a similar behavior and has a hint for me?
Here's my implementation in my Controller Action:
$message = GeneralUtility::makeInstance(FluidEmail::class);
$message
->to($email)
->format(FluidEmail::FORMAT_HTML)
->setTemplate('MyTemplate')
->assign('pages', $pages);
if ($GLOBALS['TYPO3_REQUEST'] instanceof ServerRequestInterface) {
$message->setRequest($GLOBALS['TYPO3_REQUEST']);
}
GeneralUtility::makeInstance(Mailer::class)->send($message);
Reference: https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/10.3/Feature-90266-Fluid-basedTemplatedEmails.html
Sounds like a fluid parsing problem. Do you have any { or } flying around in your template that could mess up fluids parsing?
Just run into the same problem with one of my in-house plugins after switching from php7.2 to php7.4 (when switching back to php7.2 the resource path was resolved again correctly).
It turned out that some inline javascript using curly brackets further down the page was to blame (thank you Daniel). Putting it in a separate file solved the issue. It would appear that the use of inline JS is tolerated to different degrees depending on the php version being used.
I have requirement for having a dynamic key for getting value in i18n. I am using sightly. i would be having the initial part of the key but the last part i have to attach dynamically and then allow sightly to get the value for the same. Could you please help me on it.
I guess best practice would be to have a getter at some component-bean to avoid as much programming logic within the markup as possible. If you like/need to put the logic into the html anyway try something similar to this:
<p data-sly-test.keyPostfix="${isTrue ? 'true text' : 'false text'}"
data-sly-test.i18nKey="${['some.i18n.key', keyPostfix] # join='.'}"
data-sly-text="${i18nKey # i18n}">This text will be replaced by sly-text!</p>
I'm parsing some HTML, and I need to get all html in the body tag. My target string will always look something like this:
<body><div><img src="" />text etc</div></body>
However, I just need:
<div><img src="" />text etc</div>
My target string will always begin and end with those body tags. However, there is the repeated warning of not use Regex to parse HTML, but I do not have any viable solutions for that available, besides Regex at the moment.
Question: Are there any safe Regex(s) to use in this case? Or should I just forget it?
You didn't show us what your regex is, but it's not as safe as using DOM parsing if it's as simple as:
<body>(.*?)</body>
...because it's possible that </body> is contained in an attribute string or comment. If you're willing to take that risk, then you'll be fine. There's no reason you shouldn't be able to use DOM parsing and just get the text of the body, though, except it would probably be less efficient.
You could also skip the regex and just find the string indices of <body> and </body> and get the substring between them. That should be even faster.
By the way, this is not parsing the HTML; you're just extracting from the HTML
It's fine to use a RegEx in this case.
Having said that there are much easier ways to get the innerHTML of the body tag.
alert(document.body.innerHTML);
should give you exactly that with no RegEx...
or if you're using jQuery
$(body).html();
I have a JSP page in which I have JavaScript function that will be called when a link is clicked. Now, when the value reaches the JavaScript function, the apostrophe is encoded.
Example:
Name#039;s
Before # there is &, which originally should be:
Name's
I have used the unescape() decode function, but nothing seems to work. In the end, I had to delete the characters and add the apostrophe. Does anyone know a fix for this? Is it that JSP doesn't support encoding for &? When I was writing the same encode value in this page, it changed the symbol to the apostrophe, which is what I wanted in my code.
Built-in Javascript function such as unescape(), decodeURIComponent() has nothing to do with the string you are working on, because the one you are looking to decode are HTML entites.
There are no HTML entites decoder available in Javascript, but since you are working with a browser, if the string is considered safe, you may do the following (in JQuery, for example)
var str = $('<p />').html(str).text();
It bascially insert the string as HTML to a <p> element and then extract the text within.
Edit: I just realize the JSP output you posted is not real HTML entities; To process the example given you should use the following, add & before every #1234; and make it Ӓ:
var str = $('<p />').html(str.replace(/\#(\d+)\;/g '&#$1;')).text();
I'm currently using Zend_Filter_StripTags in a commenting system, but stuff kinda breaks when '<3' is entered. StripTags doesn't seem to be smart enough to realize that it's not an HTML tag, and creating the filter as "new Zend_Filter_StripTags(array('3'))" doesn't seem to work either.
Should I pass the input through a regexp first, or is there a way to get Zend_Filter_StripTags to straighten up and fly right?
Ended up writing a Zend_Filter class that was basically a wrapper for HTMLPurifier. Works perfectly, because HTMLPurifier is a LOT smarter than striptags.
I'm not familiar with Zend much, but if you want stuff like <3 to be allowed, just do htmlspecialchars instead of strip_tags on it.
What you want is Zend_Filter_HtmlEntites most likely.
See: Zend_Filter_HtmlEnties
The problem with htmlspecialchars and Zend_Filter_HtmlEntities is that if you're trying to strip out all html tags ( like 'a' and 'img', etc ), then instead of stripping them, you end up with that markup in your output.
Take comments on a blog for example. If you use htmlspecialchars or Zend_Filter_HtmlEntities, in a comment where someone tries to use html to enter a link you end up with that markup showing up when you display the comment. But if you use strip_tags or Zend_Filter_StripTags you end up mangling the comment, as neither is smart enough to realize that '<3' isn't a tag, and just strips everything from '<3' until the end of the comment ( or until it finds '>' ).
It would be nice if Zend had something like HTMLPurifier, where it actually checks and validates the input before stripping tags. This means that stuff like '<3' gets left alone, where as stuff like 'Awesome Site' becomes 'Awesome Site'.
This is a problem I'm trying to work around, and at the moment it seems like I'm going to end up writing my own Zend_Filter class that's basically a wrapper for HTMLPurifier.