Tuesday, May 24, 2011

FreeMarker built-ins for security

FreeMarker (latest version is 2.3.18 released on 5/21/2011) has many built-ins for string. Few of them provides easy way to eliminate potential XSS attack using output filtering.

  • html
The string as HTML markup. That is, the string with all:
  • < replaced with &lt;
  • > replaced with &gt;
  • & replaced with &amp;
  • " replaced with &quot;
  • url
The string after URL escaping. This means that all non-US-ASCII and reserved URL characters will be escaped with %XX.
  • js_string
Escapes the string with the escaping rules of JavaScript language string literals, so it is safe to insert the value into a string literal. Both quotation mark (") and apostrophe-quoate (') are escaped. Starting from FreeMarker 2.3.1, it also escapes > as \> (to avoid </script>). Furthermore, all characters under UCS code point 0x20, that has no dedicated escape sequence in JavaScript language, will be replaced with hexadecimal escape (\xXX).

These 3 built-ins can be used a single filtering, or combined like below
<a href="http://hjzhao.blogspot.com/built-ins?name=${thename?url?html}" 
<td onclick="openURL(newpage?param=${value?url?js_string?html});">Click Me</td>

No comments:

Post a Comment