On 2023-05-30, Spiros Bousbouras <
spi...@gmail.com> wrote:
> On Mon, 29 May 2023 22:39:05 -0000 (UTC)
> Kaz Kylheku <
864-11...@kylheku.com> wrote:
>> On 2023-05-29, Kaz Kylheku <
864-11...@kylheku.com> wrote:
>> > If it sucked this way, people would ahve changed it years ago,
>> > or added some mode flag.
>
> Perhaps not many people use the library.
>
>> On the other hand, that handling of attributes is vulnerable to injection; it's
>> not doing any escaping!
>>
>> [1]> (cl-who:with-html-output-to-string (out)
>> (:table :cellpadding "0'>hahaha</table>" "what???"))
>> "<table cellpadding='0'>hahaha</table>'>what???</table>"
>>
>> Simply astonishing. If you happen to have any sensitive of data going into
>> attributes that a user could manipulate, you have to remember to your own
>> escaping, or you've enabled an injection attack.
>
> I've never used the library so I don't know in which situations you'd want
> to use it.
Generating HTML; e.g. in the dynamic pages of a web application.
> Can you describe a realistic scenario where the possibilities
> you mention would be relevant and what you would consider a good behaviour
> in such situations ?
Say we are coding a forum site and we have a page where user
profiles can be viewed. Users have websites:
... "Website:" (:a :href user-website-url ...) ...
The user-website-url comes from the user's profile; it is user-editable.
If user-website-url is not subject to HTML escaping, we have a security
issue: a user can put malicious HTML fragments into their website
string, which become part of the profile page, so that the page then
perpetrates an attack on someone who merely loads it.
The default interpolation behavior in HTML generation utilities should
be secure. When a HTML utility is used in its most succinct, convenient
and canonical way, as recommended by its documentation and examples, its
behavior should be secure.
Opting out of security should be the inconvenient choice requiring some
extra code, not opting in.