Context-aware HTML escaping

Školení, která pořádám

This article was published as the Month of PHP Security Submission.

Introduction

Cross-site scripting (XSS) is one of the most common vulnerabilities in web applications. Defense against this attack on HTML pages is however quite simple – it is enough to change characters < and & which have a special meaning in HTML text to the corresponding entities &lt; and &amp; just before outputting any untrusted data. If we want to output an untrusted data inside a quoted value of HTML attribute (like title="") we have to escape quotes to &quot;.

PHP offers this escaping by a function htmlspecialchars which encodes all three special characters (and > as a bonus). It is also possible to escape ' which can be used to quote HTML attribute value by passing a second parameter with value ENT_QUOTES.

It is important to note that this function can be safely used only to escape HTML text (data between tags without a special meaning like have <script> or <style>) or inside a quoted value of an attribute without a special meaning (like have onmouseover="" or style=""). Other contexts (like tag or attribute name, unquoted attribute value, or HTML comments) are unsafe even after usage of this function.

It is also important to note that the page must explicitly set character set by Content-Type header. It can be otherwise fooled to use character set where other characters have special meaning (like UTF-7). The character set can be also passed to htmlspecialchars but it is not required with one-byte character sets or UTF-8.

Note: htmlentities function can be used with ancient encodings to encode some characters which do not exist in the character set. This function is not required with Unicode which covers all characters.

Automatic escaping

If the defense against XSS is so simple (use htmlspecialchars to any printed data) then why it is such a common vulnerability? The reason is that programmers often forget to use it. Sometimes they use it on usual XSS targets like discussions but they forget to use it in search or registration form. Another time they escape all forms but forget about URL parameters.

The best way to not forget about escaping is to automate it. Most templating engines offer an automatic escaping. For example Smarty offers a $default_modifiers variable which can add an escape filter escaping all printed data. These default modifiers can be disabled by smarty:nodefaults filter applied to any variable so it is still possible to output a trusted HTML code but it requires a longer code. It is an important observation – shorter code is more secure.

I see this automatic escaping as one of the most important features of templating engines (other one is a separation of HTML and PHP code). Pure PHP templates do not offer this feature.

Note: Other option is to generate an XML data from PHP script through DOM or other PHP extension and convert them to HTML by an XSL template. This approach is equivalent to automatic escaping because text content created by e.g. createTextNode is serialized with special characters converted to entities. Creating such applications is however more difficult than using classic templates and requires more resources to generate the page.

Context-aware escaping

There are still other contexts with different sets of special characters, most importantly the <script> tag and JavaScript event handlers. They can be usually separated to an external file but sometimes not (for example initializing a user-specific JavaScript variable is better to do in the inline <script> tag). Most importantly the decision of the data usage is up to the template author. He can decide to use the data escaped for HTML inside a JavaScript event. The important part of our application security is in hands of an HTML coder! This is often a guy with brilliant color sensitivity who however hardly understood loops.

The solution of this problem lies in the context-aware escaping which improves the automatic escaping to recognize the context and choose escaping function appropriate for this context.

The first templating engine with context-aware escaping is probably the Google's ctemplate which is available for C++. The only context-aware escaping template engine for PHP known to the author is Nette Latte which is a part of the Nette Framework but can also be used independently.

Note: The Nette Framework is created with emphasis on security which is visible not only in templates but also in all other parts. For example the defense against Cross-site request forgery in the framework forms is easy.

Nette Latte

Nette Latte templating engine automatically recognizes following contexts:

This allows writing even complicated (but still realistic) code without any manual escaping:

<script type="text/javascript">
var userId = {$userId};
</script>
<p style="color: {$color};" title="{$title}">
<a href="" onclick="return !confirm({$message});">{$desc}</a>
</p>
<!-- Executed in: {$time} s -->

If you try to escape this code by hand without any restrictions on the variable values then you will probably find it very difficult.

Please note that variables used inside the JavaScript code are unquoted. Consider them as usual JS variables – PHP numbers are printed as JS numbers, PHP strings as JS strings, PHP associative arrays as JS object literals and so on.

Automatic context-aware escaping can't be disabled by some magic filter (like in Smarty) but there is a separate syntax to print a raw variable value: {!$var}. Again – less code means more security, moreover exclamation mark points to something possibly dangerous.

Note: There is no special context for URLs. The reason is that links are created with a separate tag {link}.

Summary

Escaping of HTML special characters is simple but it can be easily forgotten. Automatic escaping solves this problem but doesn't respect contexts with different special characters such as JavaScript. Context-aware escaping comes to the rescue. Nette Latte is a solid templating engine for PHP with this feature.

Jakub Vrána, Výuka, 5.5.2010, comments: 7 (new: 0)

Comments

Martin:

Zajímavé, ale jaký to má vliv na výkon? Jesli se dělá syntaktická analýza každé šablony, tak to asi nebude nic moc.

jarda:

Ta se dělá jen při překladu (kompilaci) šablony, dále je výsledek již připraven v cache.

Skrtrustlt:

The Quota category can be found in the "Greater" section of <a href=https://genericsway.com/>genericsway.com</a> Listings and Procedures go. Premium Chainmail Platforms can be a reduction way to insurance up Front Smith generic <a href=https://genericsway.com/#>tadalafil 40</a> mg ordering blueprints for example call. Business and regaining. Birth tasselwhich has automatic and other, helps keep patients balanced and capillary walls. Tapering off.
XenForo2002 - 2019 Generated by <a href=https://genericsway.com/>cialis 20 mg</a>

Willfloace:

Shipped Ups Bentyl 20mg Muscle Spasms Get Mastercard http://www.fercasas.com/2016/01/04/converting-…#comment-958Cialis Para Hipertensos https://www.driverforcanon.com/canon-pixma-…#comment-227cheap soft cialis https://www.livegadgetbd.com/product/xiaomi-…#comment-130Direct Progesterone Menopause Find Best Website Shop Online http://www.cravemonger.in/how-does-masturbation-…#comment-168viagra accion terapeutica https://www.groundreport.com/nasdaqavid-shareholder-…-338627Zithromax Pfizer 250 Mg http://syedhussain.net/dynamics-c-programming-…#comment-15730Mail Order Clobetasol https://marineconstructionmagazine.com/services/…#comment-130Diamox https://mac-appstore.de/easeus-data-recovery-…-58599cialis 40 mg online http://tvla.amritavidyalayam.org/2015/02/…-1126Generic Doxycycline Drugs http://sibleyentertainment.com/monthly-board-…-433855Propecia Veneficios https://www.lavano.co.tz/tour/zanzibar_saadani_…-142Comparer Les Prix Usa En Ligne https://koztimes.com/wine-canada-and-australia-…-126Isoretinoin Without Prescription http://bridalchicinthecity.co.uk/castlefield-…-98473Cialis Tratamiento Disfuncion Erectil https://code-fitness.de/aufwaermen/?unapproved=…-1768Viagra Nombre Farmaceutico https://www.printernet.co.uk/blog/can-i-print-…-233043Propecia Ectopico https://www.cleverwolfdigital.com/spotify-…#comment-95Cheap Viagra And Proscar https://jakartaberita.com/mahfud-md-dapat-…-195Levitra Sales In Usa https://tekkibytes.com/how-to-choose-the-…-10089Headache Levitra https://www.ffp-pakistan.org/the-federal-…#comment-336Buy Valacyclovir Dosage For Shingles https://blasti.net/2018/08/12/fghnj/?unapproved=…-2027levitra buying http://rima.dosen.ittelkom-pwt.ac.id/2017/…-25Propecia Covered By Medicare http://emeraldconsultinginc.com/2019/09/5-…-85Propecia Low Dose https://dtuforwarder.com/jasa-forwarder-surabaya/…#comment-17Cialis 10 Mg Posologia https://aldaae.com/%d9%83%d8%a7%d9%85%d9%…#comment-432Breast Cancer Propecia https://ezgiselsozler.com/bendeniz-kapinda-…-306Propecia Caratteristiche http://toyhsg.info/canned-food-storage-systems/…#comment-45Cialis Nota 75 https://www.stripete.no/produkt/green-bambus-…#comment-3979Mail Order Celebrex http://expertanswer.info/cd-album-template/…#comment-32cheap tadalafil online http://dilworthcounseling.com/blog/men/love-…#comment-27Levitra Prezzo On Line https://tehno-dom.hr/energija-biomase/?unapproved=…#comment-880Viagra Online No Prescription https://www.muitotudo.com/implante-dentario-…-158895Amoxicillin Flavor https://manasacreations.in/2019/03/23/hello-…-43Propecia Ordino http://ideas-laas.org/2018/01/%e0%ae%9f%e0%…-350Acheter Cytotec En Connexion https://www.golfmk7.com/forums/member.php?u=59807Route Of Administration Amoxicillin https://blvbookclub.com/2016/07/26/sula/?…-7406Propecia Cigartec http://madeofmen.com/les-galerie-dart-qui-…-115Prescriptions Medications Online https://sachdongtay.com/11-loai-thuc-pham-…#comment-275Can Priligy Be Taken With Cialis https://www.infogoto.com/part-one-are-manual-…-5601Acquisto Cialis In Svizzera http://www.erzurumataturklisesi.com/erzurum-…-215comprar cialis com http://stkizitoiju.com/2018/01/30/tuesday-…-12497Propecia Medimecum https://www.majamarketinglab.si/5-strategij-…-6285cialis online best price http://hintonschools.info/custom-chess-sets/…#comment-85Buy Stromectol From India http://www.divorceandrenewal.com/fruit-of-…-58463Levitra Auf Naturbasis http://www.fit-kno.com/reviews/protein_powders/…#comment-423Side Affects Of Cephalexin https://a2zandroid.com/coin-master-free-spin-…-6015Cialis 20 Mg 8 Comprimidos http://sosiologi.fisip.unila.ac.id/melalui-…-17505Onlimne Pharacy https://www.euroregion-viadrina.de/gruppendolmetscherkurs/…#comment-239Cialis Andere Medikamente https://www.absolut.net.au/spa-need-pool-…-193Levitra Da 5 Mg http://aquaspa.com.co/left-handed-coffee-…#comment-37Order Citalopram No Rz http://computersnewbiz.com/2018/02/the-elderscrolls-…-157Propecia 5 Mg Effetti Collaterali http://anoumabo.ci/ramatoulaye-prepare-son-…-63218Cheap Viagra Next Day Delivery Uk 269 https://diskominfo.tomohon.go.id/2019/03/…#comment-4Prix Cialis Pharmacie https://sportsnewsinhindi.com/chris-gayle-…-390Baclofene Lioresal http://www.mayawebworlds.com/in-2-skin-care-…-18091Donde Venden Viagra Murcia https://www.haus-in-norwegen.de/ferienhuette-…#comment-257Can Priligy Be Taken With Cialis https://antiacne.org/what-causes-acne/?unapproved=…-3700Amoxicillin Company https://scootermagruder.com/videos/top-100/…-14873Generic Viagra Reviews https://advisoryissolutions.com/erp-what-…-10110Viagra Generic Retailer http://everythingisawesome.com/robb-o-hagan-…-1163605Levitra Acquisto Farmaci http://wpcrash.com/comment-notification-plugin-…#comment-54964Prix Cialis Generique France https://www.blockminecraft.com/clumps-mod/…#comment-413venta cialis hermosillo http://bymaame.nl/products/baby-gem-kaleidoscope/…-298171Alli Diet Pills Sale https://www.newenglandfoot.com/2019/08/05/…-272Propecia Pelvico https://stkipddipinrang.ac.id/2019/01/31/…#comment-8Top Pills http://www.giganum.pl/2018/01/30/30-01-201…-133Discount Generic Elocon Worldwide Drugs No Script Needed http://blog.ssekodesigns.com/meet-some-of-…-768798Best Buy Discount Generic Macrobid Direct Overnight Shipping https://netvani.in/%e0%a4%b0%e0%a4%95%e0%…-12613Propecia Lowest Price Canadian https://managatee.com/product/prisoner-costume-…#comment-1011How To Use Kamagra Oral Jelly https://mesjabar.org/islam-sistem-hidup-yang-…#comment-22Cialis Rezeptfrei Polen http://tehelka.news/22326/?unapproved=16779&…#comment-16779Swww Healthy Man Viagra https://lostocadosdemartina.com/producto/…#comment-47Lasix Drug Interaction https://www.sist.ac.ma/studies-in-the-uk-…-1016Isotretinoin Skin Health Website On Line http://luciebataille.com/marie-claude-sebastien/…-705948Cialis Sildenafil Levitra https://doitbeforeme.com/anime-character-…#comment-174Pre Medicate With Amoxicillin http://www.fordstownerssa.co.za/forums/viewtopic.…#p1667491fabricacion de kamagra https://cybersmartawards.org/what-is-cvs-…=9915e4c0ce055e2420ef38f8e043506e#comment-5

Craigmycle:

Hi! I could have sworn I’ve been to this blog before but after looking at
a few of the posts I realized it’s new to me. Regardless,
I’m definitely happy I came across it and I’ll be bookmarking it and checking back frequently!

DarioDor:


Добрый день! Увидела у вас на сайте внутреннюю аудио панель без трубки, высылаю вам фото вызывной панели на подъезде. Подойдёт ли нам ваша панель?

analytik:

"Like have" should be "e.g." in English, or "for example,"

Insert Comment

Input is understood as plain text but URLs will be converted to links and PHP code enclosed in <?php ?> will be highlighted.

Name: URL:

avatar © 2005-2019 Jakub Vrána. Publikované texty můžete přetiskovat pouze se svolením autora. Ukázky kódu smíte používat s uvedením autora a URL tohoto webu bez dalších omezení Creative Commons. Můžeme si tykat. Skripty předpokládají nastavení: magic_quotes_gpc=Off, magic_quotes_runtime=Off, error_reporting=E_ALL & ~E_NOTICE a očekávají předchozí zavolání mysql_set_charset. Skripty by měly být funkční v PHP >= 4.3 a PHP >= 5.0.