Tel scheme handling in HTML templates

171 views
Skip to first unread message

Alvaro Genial

unread,
Jun 5, 2013, 11:22:51 AM6/5/13
to golang-nuts
Howdy,

It seems the HTML template package considers `tel:` URIs to be unsafe
within `href` contexts, as evidenced by the `#ZgotmplZ` value I
observed in the output. (Though I believe specifying the scheme
textually as part of the attribute in the template itself exhibits
different behavior.)

Is this a deliberate decision? I expected that, like `mailto:`, URIs
with a `tel:` scheme would be considered safe if they are otherwise
valid.

Thank you,

Alvaro

Nigel Tao

unread,
Jun 5, 2013, 8:22:28 PM6/5/13
to Alvaro Genial, Mike Samuel, golang-nuts
I believe that it's deliberate, but Mike Samuel is the authority on
html/template.

Mike Samuel

unread,
Jun 6, 2013, 3:04:36 PM6/6/13
to Alvaro Genial, golang-nuts, Nigel Tao
2013/6/5 Nigel Tao <nige...@golang.org>:
> I believe that it's deliberate, but Mike Samuel is the authority on
> html/template.
>
>
> On Thu, Jun 6, 2013 at 1:22 AM, Alvaro Genial <gen...@alva.ro> wrote:
>> It seems the HTML template package considers `tel:` URIs to be unsafe
>> within `href` contexts, as evidenced by the `#ZgotmplZ` value I
>> observed in the output. (Though I believe specifying the scheme
>> textually as part of the attribute in the template itself exhibits
>> different behavior.)

This is done for URLs whose scheme is not white-listed and which are
not of type content.URL.

>> Is this a deliberate decision? I expected that, like `mailto:`, URIs
>> with a `tel:` scheme would be considered safe if they are otherwise
>> valid.

I was being conservative in white-listing protocols.

I'm not that familiar with tel: URLs. What makes one valid & safe?
https://code.google.com/p/browsersec/wiki/Part1#True_URL_schemes
doesn't even mention it but my vague recollection is that there have
been some abuses of tel: though
http://software-security.sans.org/blog/2010/11/08/insecure-handling-url-schemes-apples-ios/
suggests it was not as bad as the skype trick that Mario used to
initiate phone calls (
https://www.owasp.org/images/0/03/Mario_Heiderich_OWASP_Sweden_The_image_that_called_me.pdf
).

Alvaro Genial

unread,
Jun 7, 2013, 5:30:42 PM6/7/13
to mikes...@gmail.com, golang-nuts, Nigel Tao
Thanks for the explanation.

On Thu, Jun 6, 2013 at 3:04 PM, Mike Samuel <mikes...@gmail.com> wrote:
I was being conservative in white-listing protocols.

Seems like the right approach.
 
I'm not that familiar with tel: URLs.  What makes one valid & safe?

Being only somewhat familiar with these kinds of URIs, I defer to the RFCs on validity:


And security:


If you're open to whitelisting (possibly some subset of) these URIs, I can look into it in more detail, but I wanted to sanity check the idea first. What do you think? In that vein, perhaps the template package should defer to net/url for parsing rather than reinvent the wheel in html/template/url.go.

Alvaro



Erik Formella

unread,
May 18, 2017, 2:45:03 PM5/18/17
to golang-nuts, mikes...@gmail.com, nige...@golang.org
Resurrecting this thread. Would adding support for tel: uris be welcomed? And should we use net/url to do so?
Reply all
Reply to author
Forward
0 new messages