[go-nuts] Known-safe JSStrings still getting escaped

Rob Pike

at Apr 29, 2013 at 11:16 pm

Here is a simpler version of the program: http://play.golang.org/p/ofD78EX10D

From reading the template implementation source, the only difference
in encoding between a regular string and a JSStr is that the latter
does nothing special with backslashes, a detail irrelevant to your
code. I'm pretty sure JSStr is not what you want: it guarantees
safety, it does not require it. I leave the resolution to JavaScript
experts, a set that does not include me.

-rob

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

reply | permalink

Andy Balholm

at Apr 29, 2013 at 11:38 pm

⇧

Interestingly, it works if you leave off the
quotes: http://play.golang.org/p/EmlRqP6Evl

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

reply | permalink

Rob Pike

at Apr 29, 2013 at 11:50 pm

⇧

Oh yes, of course.

-rob

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

reply | permalink

James Pirruccello

at Apr 30, 2013 at 1:21 am

⇧

Passing the bare value without quotes solves my problem; thanks!

I can see where some of this behavior is happening in the source: http://golang.org/src/pkg/html/template/js.go#L142
and http://golang.org/src/pkg/html/template/js.go#L273

In the end I think the template package is doing the right thing here, and
I hadn't fully wrapped my head around the task it was undertaking.

Thanks for digging through this.

- James

On Monday, April 29, 2013 7:50:23 PM UTC-4, Rob Pike wrote:

Oh yes, of course.

-rob

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

reply | permalink

Minux

at May 1, 2013 at 7:16 pm

⇧

On Tue, Apr 30, 2013 at 7:01 AM, James Pirruccello wrote:

I am trying to pass known-safe data (the string literal "/value") into a
Javascript string within a template. Even when I "no-escape" this string by
converting it to type template.JSString, however, it still becomes escaped.
In the example below, I expect the output to be:

{key: "/value",}

However, the actual output has a preceding backslash:

{key: "\/value",}

A program that demonstrates this issue is below. Any ideas on what I'm
doing wrongly here?

http://play.golang.org/p/CzimCt2sqF

Although i don't know why, this seems to be intentional.
http://tip.golang.org/src/pkg/html/template/js.go#L307

ps: according to ECMAScript standard, "\/" means the same as "/", so this
template/html behavior is valid.

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

reply | permalink

Nick Thompson

at May 2, 2013 at 11:11 pm

⇧

The "\/" quoting avoids at least one XSS. This line is valid ECMAScript:

var s = "</script><script>alert('pwned!');</script>";

But if you embed that statement in HTML you have a problem: HTML doesn't
know about JS string syntax, and the </script> will be interpreted as HTML.
"<\/script>" is equivalent from the JS perspective, but it dodges the HTML
parser.

Nick

On Wed, May 1, 2013 at 12:16 PM, minux wrote:

On Tue, Apr 30, 2013 at 7:01 AM, James Pirruccello <
[email protected]> wrote:

I am trying to pass known-safe data (the string literal "/value") into a
Javascript string within a template. Even when I "no-escape" this string by
converting it to type template.JSString, however, it still becomes escaped.
In the example below, I expect the output to be:

{key: "/value",}

However, the actual output has a preceding backslash:

{key: "\/value",}

A program that demonstrates this issue is below. Any ideas on what I'm
doing wrongly here?

http://play.golang.org/p/CzimCt2sqF

Although i don't know why, this seems to be intentional.
http://tip.golang.org/src/pkg/html/template/js.go#L307

ps: according to ECMAScript standard, "\/" means the same as "/", so this
template/html behavior is valid.

--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

reply | permalink

Minux

at May 3, 2013 at 8:30 am

⇧

On Fri, May 3, 2013 at 4:20 AM, Nick Thompson wrote:

The "\/" quoting avoids at least one XSS. This line is valid ECMAScript:
Great. Thank you for explanation!
var s = "</script><script>alert('pwned!');</script>";

But if you embed that statement in HTML you have a problem: HTML doesn't
know about JS string syntax, and the </script> will be interpreted as HTML.
"<\/script>" is equivalent from the JS perspective, but it dodges the HTML
parser.

On Wed, May 1, 2013 at 12:16 PM, minux wrote:

On Tue, Apr 30, 2013 at 7:01 AM, James Pirruccello <
[email protected]> wrote:

I am trying to pass known-safe data (the string literal "/value") into a
Javascript string within a template. Even when I "no-escape" this string by
converting it to type template.JSString, however, it still becomes escaped.
In the example below, I expect the output to be:

{key: "/value",}

However, the actual output has a preceding backslash:

{key: "\/value",}

A program that demonstrates this issue is below. Any ideas on what I'm
doing wrongly here?

http://play.golang.org/p/CzimCt2sqF

Although i don't know why, this seems to be intentional.
http://tip.golang.org/src/pkg/html/template/js.go#L307

ps: according to ECMAScript standard, "\/" means the same as "/", so this
template/html behavior is valid.

--
You received this message because you are subscribed to the Google Groups
"golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "golang-nuts" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.

reply | permalink

group	golang-nuts @
categories	go
posted	Apr 29, '13 at 11:01p
active	May 3, '13 at 8:30a
posts	8
users	5
website	golang.org

responses	expanded	Hotkey: s
font	variable	Hotkey: f
user style	avatars	Hotkey: a

[go-nuts] Known-safe JSStrings still getting escaped

Search Discussions

Related Discussions

5 users in discussion