Re: [w3c/webcomponents] [templates] Contextual auto-escaping (#711) from xtofian on 2017-11-22 (public-webapps-github@w3.org from November 2017)

From: xtofian <notifications@github.com>
Date: Wed, 22 Nov 2017 00:37:47 +0000 (UTC)
To: w3c/webcomponents <webcomponents@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <w3c/webcomponents/issues/711/346206534@github.com>

Other examples of (strict) contextual auto-escaping/sanitization:

- Angular: https://angular.io/guide/security#angulars-cross-site-scripting-security-model  (or https://docs.angularjs.org/api/ng/service/$sce for Angular 1.x) 

- Polymer-resin (https://github.com/Polymer/polymer-resin), an add-on for Polymer that enables contextual escaping in Polymer templates.

- Closure templates (https://developers.google.com/closure/templates/docs/security)

For an example of a specification of HTML attributes with security-sensitive contexts, see the one in Polymer-resin, https://github.com/Polymer/polymer-resin/blob/master/lib/contracts/contracts.js.  

Note that this is a whitelist, and is incomplete (we're just adding attributes to the whitelist as they're needed and are getting reviewed for their security implications).

A very valuable side contribution of adding contextually autoescaped templating to the web-platform (as well as the TrustedTypes proposal, which is about mediating injection sinks in the DOM API; the two largely correspond), would be to publish a comprehensive specification of the security properties (in the sense of whether they're an injection sink, and of what kind) of all HTML attributes and DOM properties.   

It could be quite desirable to expose this meta data somewhere in the DOM (e.g. as read-only window.security.html....  and window.security.dom... objects similar to what's in https://github.com/Polymer/polymer-resin/blob/master/lib/contracts/contracts.js, but comprehensive and vetted and maintained by HTML spec authors).   This would be useful for various other HTML templating systems (that may not be able to use the templating mechanism proposed here, but would want to use the same sanitization policies).

For more background on how the strict contextually auto-escaping/sanitizing template systems go together with safe/trusted types, see https://research.google.com/pubs/archive/42934.pdf






-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/w3c/webcomponents/issues/711#issuecomment-346206534

Received on Wednesday, 22 November 2017 00:38:17 UTC