-
-
Notifications
You must be signed in to change notification settings - Fork 662
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Dynamically generated HTML #1998
Comments
@set-reminder in 3 days @tghosth to look at this |
⏰ Reminder
|
What case it should cover that is not covered by current requirements 5.2.5 and 5.3.1?
|
When dynamically assembling HTML, sometimes escaping is not enough. Sometimes we need to sanitize blobs of user driven HTML or CSS, and sometimes escaping is not enough like in the case of a URL driven by a user that lands in a SRC or similar attribute. Any kind of HTML assembly will require a very tactical combination of contextual encoding (for data that you want to display exactly as the user typed it in), strict validation (like in the case of URL's or other content that cannot be safely escaped) and content sanitization (like in the case of rich content like user-driven HTML or CSS that cannot otherwise be validated). |
For sanitization we also have:
For unintended content execution we have:
|
There are a few small edge cases not covered, but otherwise this collection of requirements are fairly complete. |
@jmanico do you think any of the existing requirements could be enhanced to cover the edge cases or do you think these are best left to a cheat sheet? |
These edge cases are so extensive I suggest we stick to a cheat sheet.
|
Ok so I think I will close this issue if that is ok @jmanico ? |
Agreed 👍🏼
|
Jim previously mentioned a requirement:
Jim says in a comment below that table that this is not sufficiently covered in 5.2.5 and that "I think safely building HTML (encoding and similar) and avoiding template injection (avoid server side template assembly) are different controls."
We need to assess if there are any other related requirements and how to proceed with this.
The text was updated successfully, but these errors were encountered: