The emergence and prevention of XSS vulnerability in Smarty template engine sharing

Original address: Google's webpage snapshot

--------

smarty Template Engine The emergence of XSS vulnerability and the prevention of sharing the situation

Simply put, when using template variables to output source code, ignore the URL, HTML or JS that should be escaped, if the value of the variable contains a special format or an attacker who constructs a special format for the appearance.

If these template variables:

1. No URL escapes ①

Example:

Common template variables appear in scene	Source
Within the hred attribute of the A tag	<a href= "http:/mysite.com/{{$vars}" ></a>
In the SRC attribute of the IFRAME, IMG, script, link, and other tags	< img src= "/http mysite.com/{{$vars}}"/>
The JS code is used as a URL in the variable	var url = '/http mysite.com/{{$vars}} '

2. HTML escape is not performed: ②

Example:

Common template variables appear in scene	Source
In the title tag	<title>{{$user}} Personal Center </title>
Value of input	< input value= "{{$user}}"/>

3. Non-escaped JS variable: ③

Example:

Common template variables appear in scene	Source
JS variable within the page inline script tag	var a = ' {{$a}} '
In-page DOM element level 0 Event	<div onclick= "SomeFunction ({{$param}})" >
In the template used by async	{{$callback}} {{{$obj}}}

4. Need advanced HTML escape, after the JS escape: ④

Example:

Common template variables appear in scene	Source
Inside the page in the script tag inside the JS statement, the subsequent Insert page	dom.innerhtml = "{{$vars}}"; document.write ("{{$vars}}")

5. Need Advanced JS escape, after HTML escape: ⑤

Example:

Common template variables appear in scene	Source
Parameters of a method within a DOM element level 0 event within a page	<div onclick= "SomeFunction ({{$param}})" >

prevention and control measures

According to the above red mark, the main use of the following table of prevention and control methods:

Type	Smarty Escape	Other
① for URL escaping	{{$var |escape: ' URL '}}	Similar to JS within the encodeURIComponent, the overall escape Escape character: escaped except! ‘ ( ) * – . _ ~ 0-9 All characters beyond A-Z, they are converted to their respective 16-binary escape sequences, and the Chinese characters get different results under various CharSet
② HTML Escape	{{$var |escape: ' HTML '}}	Tangarm provides a way to use JS escape Baidu.string.encodeHTML, the internal variables are available when using JS to generate HTML templates. Escape character: Smarty provides a method to escape the < > ' "4 characters, generally escaped these 4, Tangram provides more methods to escape the & character, altogether escaped 5 characters
③ for JS escape	{{$var |escape: "JavaScript"}}	Escape character: ' "/n R
④ first HTML after the JS escape	{{$var |escape: "HTML" |escape: "JavaScript"}}	In fact, the characters are eventually escaped: "<" turns into "&lt;" ">" turns into "&gt;" "'" Turn into "'" "" "Turn" "" " "" Turn to "\" "/" Turn into "/" "N" turns into "n" "R" turns into "R"
⑤ first JS after HTML escape	{{$var |escape: "JavaScript" |escape: "HTML"}}	In fact, the characters are eventually escaped: "<" turns into "&lt;" ">" turns into "&gt;" "&" turns into "&amp;" "'" Turn into "& #39;" "" "Turn into" &quot; " "" Turn to "\" "/" Turn into "/" "N" turns into "n" "R" turns into "R"

Advanced

1 Make smarty Default escape: Execute $smarty->default_modifiers = Array (' $ ' = ' + ' escape: ' HTML ') before displaying the page, then all Smarty variables beginning with $ are escaped by default. If you need to de-escape, use {{$var |smarty:nodefaults}} for variables that do not need to be escaped

2 asynchronous operations under the same domain: try to use Ajax as much as possible by using less insert script tags to reduce the XSS vulnerability that occurs because the callback function name is not escaped

3 Please set hearer contenttype of JSON type data response to "Application/javascript" on server side