Known-safe JSStrings still getting escaped

349 views
Skip to first unread message

James Pirruccello

unread,
Apr 29, 2013, 7:01:11 PM4/29/13
to golan...@googlegroups.com
I am trying to pass known-safe data (the string literal "/value") into a Javascript string within a template. Even when I "no-escape" this string by converting it to type template.JSString, however, it still becomes escaped. In the example below, I expect the output to be:

{key: "/value",}

However, the actual output has a preceding backslash:

{key: "\/value",}

A program that demonstrates this issue is below. Any ideas on what I'm doing wrongly here?


Thanks!

James

Rob Pike

unread,
Apr 29, 2013, 7:16:23 PM4/29/13
to James Pirruccello, golan...@googlegroups.com
Here is a simpler version of the program: http://play.golang.org/p/ofD78EX10D

From reading the template implementation source, the only difference
in encoding between a regular string and a JSStr is that the latter
does nothing special with backslashes, a detail irrelevant to your
code. I'm pretty sure JSStr is not what you want: it guarantees
safety, it does not require it. I leave the resolution to JavaScript
experts, a set that does not include me.

-rob

Andy Balholm

unread,
Apr 29, 2013, 7:38:05 PM4/29/13
to golan...@googlegroups.com, James Pirruccello
Interestingly, it works if you leave off the quotes: http://play.golang.org/p/EmlRqP6Evl

Rob Pike

unread,
Apr 29, 2013, 7:50:23 PM4/29/13
to Andy Balholm, golan...@googlegroups.com, James Pirruccello
Oh yes, of course.

-rob

James Pirruccello

unread,
Apr 29, 2013, 9:21:18 PM4/29/13
to golan...@googlegroups.com, Andy Balholm, James Pirruccello
Passing the bare value without quotes solves my problem; thanks!

I can see where some of this behavior is happening in the source: http://golang.org/src/pkg/html/template/js.go#L142 and http://golang.org/src/pkg/html/template/js.go#L273

In the end I think the template package is doing the right thing here, and I hadn't fully wrapped my head around the task it was undertaking.

Thanks for digging through this.

- James

minux

unread,
May 1, 2013, 3:16:19 PM5/1/13
to James Pirruccello, golan...@googlegroups.com
Although i don't know why, this seems to be intentional.

ps: according to ECMAScript standard, "\/" means the same as "/", so this
template/html behavior is valid.

Nick Thompson

unread,
May 2, 2013, 4:20:47 PM5/2/13
to minux, James Pirruccello, golan...@googlegroups.com
The "\/" quoting avoids at least one XSS.  This line is valid ECMAScript:

   var s = "</script><script>alert('pwned!');</script>";

But if you embed that statement in HTML you have a problem: HTML doesn't know about JS string syntax, and the </script> will be interpreted as HTML.
"<\/script>" is equivalent from the JS perspective, but it dodges the HTML parser.

    Nick



--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
 
 

minux

unread,
May 3, 2013, 4:29:55 AM5/3/13
to Nick Thompson, James Pirruccello, golan...@googlegroups.com
On Fri, May 3, 2013 at 4:20 AM, Nick Thompson <n...@google.com> wrote:
The "\/" quoting avoids at least one XSS.  This line is valid ECMAScript:
Great. Thank you for explanation! 

   var s = "</script><script>alert('pwned!');</script>";

But if you embed that statement in HTML you have a problem: HTML doesn't know about JS string syntax, and the </script> will be interpreted as HTML.
"<\/script>" is equivalent from the JS perspective, but it dodges the HTML parser.

Reply all
Reply to author
Forward
0 new messages