On 03/26/2014 10:55 AM, Chris Steipp wrote:
On Wed, Mar 26, 2014 at 10:30 AM, Nuria Ruiz nuria@wikimedia.org wrote:
Additionally, how you escape a plain parameter like class vs. an href vs. a parameter that is inserted into a url vs. an id attribute are all different escaping strategies.
Urls in the template engine need to be handled on their own, sure. But what template engine does not work in this fashion? There are three separate "entities" you normally deal with when doing replacement: translations, urls and plain attributes.
When looking at a typical web page, you need several escaping strategies. OWASP roughly groups them into html body, plain attributes, URL context, Javascript context, CSS context. My point was that you need several MakeWhateverSafe functions, and have to use them in the right context. So that is a long way of saying I disagree with you when you said that this could be automated without some process having knowledge of the html context and verifying the right escaping is being applied.
When compiling from DOM to the TAssembly JSON IR we encode the attribute context in the 'attr' binding. While executing this binding TAssembly automatically escapes href / src and style attributes using the same sanitization logic as used in Parsoid, which in turn is a direct port of MediaWiki's Sanitizer.php. Despite offering this level of security support it is the fastest library in our benchmarks.
KnockOff is compiling to TAssembly from KnockoutJS syntax, but other front-end syntaxes are possible like cscott's Spacebars to TAssembly compiler. We chose the KnockoutJS syntax primarily for its ease of implementation (the expression grammar is 70 lines, and DOM parsing is readily available). It also supports powerful and general parameter passing which is useful for things like i18n, and has good potential support for server-side pre-expansion followed by client-side updates by virtue of its attribute syntax.
Last night Matt has been back working on the PHP port of TAssembly. We'll probably have an update on this in the next days.
Gabriel