Should th:inline="text" expressions be escaped

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Should th:inline="text" expressions be escaped

munnja001
I was testing some code and realized that we are vulnerable to XSS attacks if we display user fields using inlining. We can easily avoid this by usings the #strings utility. However, would it make sense to have the th:inline="text" be escaped and create another inline method th:inline="utext" for when you want inlining to be unescaped? I think this would be helpful to keep people from accidentally exposing XSS vulnerabilities.
Reply | Threaded
Open this post in threaded view
|

Re: Should th:inline="text" expressions be escaped

Zemi
Administrator
Yes, we had some discussion about this topic
    https://github.com/thymeleaf/thymeleaf/issues/122
so maybe it could be included in future versions. The problem, then, would be backwards compatibility.
Reply | Threaded
Open this post in threaded view
|

Re: Should th:inline="text" expressions be escaped

munnja001
If this is something that won't be fixed, could the docs be clarified? The docs suggest that text inlining would be a replacement for th:text. When I read that, I interpret it to mean that text inlining will act like th:text and escape text. I think it would be best to let developers know that by using inlining they're being exposed to XSS vulnerabilities.