yogthos/Selmer

Guidance for using Selmer with untrusted templates

tomconnors opened this issue · 2 comments

Hi, thanks for this great library. I don't see anything in the readme or existing issues about using Selmer to process untrusted templates. In my use case, my program provides the variables and the users provide the templates. Are there any important security considerations when doing this? Should the readme mention this use case and provide some guidance?

Hi, I don't see too much of an issue if the data is provided by the program. You may want to consider running the templates through a function to escape any script tags before rendering the template to ensure they don't contain any scripts, but that's all I can think about being problematic with this use case. I'm not sure there's much to add in the readme regarding this.

@tomconnors you need to test the types for all the variables you are giving, because some filters will throw errors, and some encoders wont work (you need to add your own encoders for URL and URIs).

example:

(cheshire.generate/add-encoder java.net.URL cheshire.generate/encode-str)
(cheshire.generate/add-encoder java.net.URI cheshire.generate/encode-str)

the date filters are picky about what you give them.

there are also some tag issues, include tag is white-space sensitive, and basically will throw away it's args if you add too many spaces, or new lines, it also only likes strings for values to it's params.

i've had some issues with the verbatim tag as well, but my use case created templates that were almost impossible to read (extreme edge case).

not really security related, but you have to consider that you are just rending text, text is not dangerous, it's the program that reads that text that is going to do bad things. so security stuff would happen after rendering (based on your use case, HTML? PDF? some other language as output?)

if you are making HTML, you could parse it and do your security checking on that. i imagine that there are HTML validators that could help with that. https://w3c.github.io/developers/tools/ is the first thing i found when searching for something like that.