-
-
Notifications
You must be signed in to change notification settings - Fork 240
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Question Regarding Style Context #1512
Comments
I'm not sure but... Latte does not tokenize CSS, CSS is one context. And colon escaping simple disallows you to pass |
@milo But in the example case there is no JavaScript at all. It is a very simple and harmless style then why escape : in that case? |
@soaj1664 As I wrote, Latte has only one CSS context. It supposes that variable contains CSS property value only, not the property name(s). |
@milo Isn't it a major weakness? It means Latte has an implicit assumption that every input is harmful.
If it has an implicit assumption that every input is harmful then why at first place supporting style context at all? |
@milo I think what you said is that Latter support following
|
Why weekness? Such implicit assumption seems secure to me. You can use: And the CSS context is not for tag attribute only. You can use Latte syntax in CSS files. |
It is not a weakness because now I understand what you wanted to say. I am wondering about : escaping and the confusion arise because of test-bed: see http://hoola.cz/nette-xss-test/?do=form-submit and look at style context. Can you fix the test-bed? |
I'll migrate it to newer version soon, so I'll update it. |
Thanks! Please make sure that I can set the value of |
@milo Would you please tell me that have you find time to update the test-bed? One more thing I would like to have your take on is: e.g.,
if https://github.com/nette/latte/blob/master/src/Latte/Runtime/Filters.php#L84 Please correct me if I missed something. Thanks! |
This is an issue tracker, not a support forum. |
@Majkl578 So you do not considered a false positive an ISSUE :D |
Hey guys!
I had a comment. I am looking at the test-bed http://hoola.cz/nette-xss-test/?do=form-submit that you had created during earlier issue for Nette testing in different context.
My question is related to style context. If I input harmless style e.g., color:red then it should work but what I received as an output is
<div style='color\:red'>I am a style attribute context</div>
What's the point in escaping colon? I think the use case would be to allow simple styles without JavaScript execution. Isn't it? Or Am I missing something?
Thanks!
The text was updated successfully, but these errors were encountered: