Protects against cross-site scripting attacks and follows the context escape Function

Author: Britta

Automatic escape is mainly developed for general-purpose template systems, that is, those template systems that do not fully understand the structure of their running content and programming languages. These template systems can provide minimum support for web applications, and may be limited to some basic escape functions, developers can use these basic escape functions to help escape unsafe content returned to web applications. The use of these template systems by web applications with a certain scale and complexity may increase the risk of XSS attacks. Why? See the simplified template below. The placeholder (variable) in the double braces {And} In this template is replaced by the running content, which is not safe.

<Body>
<Span style = "color :{{ USER_COLOR }};">
Hello {USERNAME }}, view your <a href = "{USER_ACCOUNT_URL }}"> Account </a>.
</Span>
<Script>
Var id = {USER_ID}; // some code using id, say:
// Alert ("Your user ID is:" + id );
</Script>
</Body>

In this template, four variables are used:

USER_NAME is inserted in common HTML text. Therefore, you can use HTML Escape to escape the text safely.

USER_ACCOUNT_URL is inserted with the HTML attribute (URL). Therefore, in addition to HTML escaping, you must verify that the URL scheme (text and image) is safe. You can avoid javascript: pseudo-URLs by using HTML Escape alone.

USER_COLOR is inserted within the CSS range. Therefore, a dangerous architecture (such as the risky structures in expressions () or URLs () that can defend against scripts and other CSS at the same time is required) escape.

The USER_ID is inserted with a Javascript variable, which may not contain digits in quotation marks. Therefore, an escape must be used to force the USER_ID to be a number (normally, this function is not available in Javascript-escape ), otherwise, arbitrary js execution may occur. Other variables may also be forced into other numeric types, including arrays and objects.

The insertion of these variables requires different escape methods and will lead to different XSS attacks. In the above example, we excluded many situations that may interest you, such as style tags, HTML attributes (such as onmouseover), and attribute values that are enclosed in quotation marks.

Auto-Escape

The preceding example shows that you must correctly understand the content of the inserted variable and select a safe and appropriate escape function. For larger and more complex web applications, there are mainly two XSS problems:

1. The developer forgets to use the escape function to a variable.

2. The developer used the incorrect escape function for the inserted variable.

Considering the large number of web application templates and the number of possible Untrusted Content, the appropriate escape process becomes complex and error-prone. In terms of security testing, it is difficult to perform effective audits. Auto-Escape can solve the complexity problems of developers and template systems, thus reducing the following cross-site scripting attack threats.

Deployment Problems

The Auto-Escape function is designed to enable context awareness of the web application of the template system, so as to automatically use the appropriate Escape function. It is implemented through the following three steps:

1. First, you must determine the different contexts that may return Untrusted Content and provide appropriate escape functions for each context. For example, we do not know that we need to support variable insertion (rather than HTML attributes) in the HTML Tag name, so we do not provide any support and add other factors, this includes the validity of the existing escape Function and backward compatibility. The result is that some work depends on the template system.

2. we develop our own parser to parse HTML and Javascript templates. This parser can query the necessary information for proper escape. The parser is based on performance and runs in stream mode. It is designed to simplify the program because the browser may not be so strict.

3. We add an additional step to the parsing process, and the template system has started to execute the variable. This step is mainly to activate the HTML/Javascript parser, query the context of each variable, and then apply the escape rules to the escape function used by each variable. Depending on the template system, this step may be used when the template is used for the first time.

This simple mechanism shows that some variables are actually safe and do not need to be escaped. This method is used for variables that have been escaped by other methods in the source code or variables that contain the trust tag.

Status quo

The C ++ Google Ctemplate and ClearSilver template systems both contain the Auto-Escape function. The former has been released for a while, and the latter is expected to be released soon, this function will help more people defend against cross-site scripting attacks.