All geek questions in one place

Security issues with Mustache html templates

I have a usecase where the contents of the mustache HTML template could potentially be obtained from the application / end user (i.e. the contents of the script tag in the code snippet below.)

<script id="template" type="x-tmpl-mustache"> Hello {{ name }}! </script>

Since this could potentially lead to the execution of malicious code, I do

  • Only a subset of HTML tags and template attributes is allowed to be added (inside the script tag)
  • Allow only HTML escaping variables, i.e. only {{name}} and not {{{name}}} are allowed.

Is there anything else that needs to be considered for application security?

+5
source share
2 answers

I think this is not a mustache problem, if you follow the philosophy of "small, sharp tools." Then, before matching unsafe data (third-party JSON) with the template, you should check the data using other tools.

The easiest way to get started is to replace string fields containing insecure data.

 function clearJson(userStringData){ return JSON.parse(userStringData, function(k,v) { // string values containg something like // html tags or js block braces will not pass return String(v).match('[<>{}]') ? 'UNSAFE' : v; }); }

The code entry field is too large to get a short answer to your question. You can take any approach that is advanced enough for your application: determine the data formats expected from the user, and then at runtime delete incoming suspicious data that does not match these formats.

+4
source

You must execute user inputs on the server , not just the client. If some "bad code" is executed on the client, it is already too late;)

+1
source

Source: https://habr.com/ru/post/1234304/

More articles:


All Articles