interpolation proposals and safety
kdevel
kdevel at vogtner.de
Thu Aug 22 19:34:32 UTC 2024
On Saturday, 23 December 2023 at 23:33:31 UTC, Adam D Ruppe wrote:
> 1027 makes it possible to do some cases correctly, but
> difficult to trust in the general case since it makes no
> attempt at type safety and its string cannot differentiate
> between user-injected strings and format string literals.
As I will point out below, the current implementation (DMD
v2.109.1)
doesn't do either. At least not in the HTML case.
> [...]
>
> On the other hand, 1036e corrects these flaws, while adding the
> possibility for CTFE manipulation, aggregation, and
> verification of all string literals passed.
>
> I encourage everyone to look at the sample repository here:
>
> https://github.com/adamdruppe/interpolation-examples/
> [...]
> Finally, example #7, directly avoids the trap of XSS holes by,
> again, separating HTML structure from added data and ensuring
> correct encodings and valid data positioning is done in all
> contexts. [...]
One way to "commit" a mistake is by omitting necessary parts. In
A CGI context the webserver is reading the stdout of the CGI
application. The original example (with comments stripped) is:
```
import lib.html;
void main() {
string name = "<bar>";
auto element = i"<foo>$(name)</foo>".html;
assert(element.tagName == "foo");
import std.stdio;
writeln(element.toString());
}
```
Now i forget to `import lib.html` and to call `html` on the IES:
```
void main() {
string name = "<script>alert(-1)</script>";
auto element = i"<foo>$(name)</foo>";
import std.stdio;
writeln(element);
}
```
```
$ dmd htmli.d
$ ./htmli
<foo><script>alert(-1)</script></foo>
```
`name` may have been a URL parameter or may be part of the POST
body. The important part is that it is attacker supplied and
controlled.
`writeln` should not print unadorned interpolated string
expressions.
More information about the Digitalmars-d
mailing list