Re: [go-nuts] Are golang templates safe for end-user editing ?

[Kyle Lemons]

It depends what you mean by "from a security perspective."  No, parsing a template should not open you up to arbitrary code execution or anything, but it requires careful thought about how the templates are executed and presented to users.  If they're all being served from the same domain, you could get into trouble if a malicious admin crafts his page correctly.

Also, use html/template. 

On Fri, Sep 14, 2012 at 6:47 AM, <sahme...@gmail.com> wrote:

If I had a web interface where I let end-users edit templates, is this safe from a security perspective?

I will obviously make sure I provide a data structure to my template that will not expose any data that poses a security risk.

I'm curious if it provides the same level of security like: http://liquidmarkup.org/

reference: http://golang.org/pkg/text/template/

--
 
 

[Patrick Mylund Nielsen]

No, it is not safe. For anything HTML-related you should use html/template, which is a wrapper around text/template that escapes stuff that might lead to XSS attacks.

If what you mean by letting users edit templates is that you let them control the information passed to Execute for that template, then yes, it's safe with html/template. If you let them edit the template files themselves, it is not.

[Patrick Mylund Nielsen]

To clarify, by controlling stuff I mean supplying e.g. strings, numbers or form maps from requests to your template. If you let them pass html/template.HTML to your template, programmatically, then that too is unsafe.

[Alex Zorin]

> then that too is unsafe

Is this statement borne only out of concern for XSS/browser attacks, or are there additional security implications? What about html/template templates for email messages, or proprietary messaging protocol that supports HTML rendering? 

Mainly, I am concerned about remote code execution and or resource exhaustion attacks (such as the possibility of a very large or infinite loop in template execution). 

Thank you and apologies for the necro,

Alex

[Kyle Lemons]

Allowing arbitrary editing to anything that is not autoescaped before being sent to the browser, including the template itself, is a recipe for disaster.  As an innocuous example, imagine adding <script>alert("pwned!")</script> to the template.  It assumes that's what you want, even though that would've been escaped to be safe if it were injected via html/template.

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to golang-nuts...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.