Product
Introducing SSO
Streamline your login process and enhance security by enabling Single Sign-On (SSO) on the Socket platform, now available for all customers on the Enterprise plan, supporting 20+ identity providers.
secure-handlebars
Advanced tools
Readme
Automatically applying context-sensitive output escaping to prevent XSS!
Check out the latest slide deck, presented in the OWASP AppSec USA 2015.
Security is of utmost importance!
Imagine a template is written like so: <a href="{{url}}">{{url}}</a>
. When it is compiled with an untrusted user data like {"url": "javascript:alert(666)"}
, secure-handlebars automatically applies contextual escaping and generates the HTML <a href="x-javascript:alert(666)">javascript:alert(666)</a>
as a result.
Clearly, the same {{url}}
must be escaped according to different output contexts to prevent malicious script executions, which otherwise would be vulnerable if the original Handlebars is used alone.
This is archived by enhancing the original Handlebars to perform the following steps:
Context | Examples |
---|---|
HTML Data | <div>{{output}}</div> |
HTML Comment | <!-- {{output}} --> |
HTML Attribute Value (unquoted, single-quoted and double-quoted) | <a class={{output}}> <div class='{{output}}'> <div class="{{output}}"> |
URI in Attribute Value (unquoted, single-quoted and double-quoted) | <a href={{output}}> <a href='{{output}}'> <a href="{{output}}"> |
CSS in Attribute Value (unquoted, single-quoted and double-quoted) | <div style="color:{{output}}"> <div style="backgrount:url({{output}})"> |
It is generally a bad idea to place an {{expression}} inside those scriptable contexts (e.g., <script>{{script}}</script> or <div onclick="{{onclick}}" ). Check out the Section of Warnings and Workarounds for resolutions. |
We highly recommend using the express-secure-handlebars npm for a streamlined experience of template pre-processing, compilating, context-sensitive output escaping, and data binding.
Automatically apply Contextual XSS Escaping for Handlebars templates on client-side
<!-- Disable <script src="dist/handlebars.min.js"></script> -->
<script src="dist/secure-handlebars.min.js"></script>
<script>
// given data stores a handlebars template as string
var html = '<a href="{{url}}">{{url}}</a>',
data = {url: 'javascript:alert(666)'};
// Compile the template and apply data binding w/automatic contextual escaping
// the resulted html is '<a href="x-javascript:alert(666)">javascript:alert(666)</a>'
var html = Handlebars.compile(html)(data);
</script>
You can perform offline pre-processing for your templates using the provided CLI utility, which rewrites the templates to insert contextual output escaping filter markups. Fully compatible with the original Handlebars, the rewritten templates can be further compiled and data-binded with secure-handlebars-helpers.
To achieve this, install the secure-handlebars npm globally, so it can be used in any project.
npm install secure-handlebars -g
Given a handlebars template file named sample.hbs
like so:
<!doctype html>
<html><title>{{title}}</title></html>
Get the template with contextual escaping filters inserted:
handlebarspp sample.hbs > sample.shbs
The pre-processed template file sample.shbs
that is fully-compatible with the original (runtime) Handlebars:
<!doctype html>
<html><title>{{{yd title}}}</title></html>
These rewritten templates can then go through the standard Handlebars pre-compilation process, and be used with secure-handlebars-helpers during runtime compilation.
On the other hand, this utility also faciilates statistics collection. For instance, you can write a simple script to count the number of dangerous contexts (such as <script>{{script}}</script>
).
npm test
<!doctype html>
).<style>
tags yet. See the section below for details.{{>partial}}
and {{{{rawblock}}}}
are always placed in the HTML Data context, and that they will result in the same Data context after data binding (hence, in-state and out-state are both of the data context).When output expressions are found inside dangerous (yet-to-be-supported) contexts, we echo warnings and gracefully fallback to apply the default Handlebars escapeExpression()
. These warnings are indications of potential security exploits, and thus require closer inspections. Instead of simply abusing {{{raw_expression}}}
to suppress the warnings, here are some alternative suggestions to secure your applications.
<script>
tag<!-- Rewrite <script>var strJS = {{strJS}};</script> as: -->
<input type="hidden" id="strJS" value="{{strJS}}">
<script>var strJS = document.getElementById('strJS').value;</script>
[WARNING] SecureHandlebars: Unsafe output expression found at onclick JavaScript event attribute
Case 1. the data is trusted, or will not be used as URI/HTML output
uriData
(a patched encodeURI()
), uriComponentData
(alias of encodeURIComponent()
), and the xss-filters that are already registered as Handlebars helpers.
This software is free to use under the BSD license. See the LICENSE file for license text and copyright information.
FAQs
To automatically apply context-sensitive XSS output filtering for Handlebars
The npm package secure-handlebars receives a total of 110 weekly downloads. As such, secure-handlebars popularity was classified as not popular.
We found that secure-handlebars demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 4 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Product
Streamline your login process and enhance security by enabling Single Sign-On (SSO) on the Socket platform, now available for all customers on the Enterprise plan, supporting 20+ identity providers.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.