[racket] Web application question. [and 1 more messages]

From: Michael W (mwilber at uccs.edu)
Date: Fri Feb 3 15:26:26 EST 2012

Previous message: [racket] Web application question. [and 1 more messages]
Next message: [racket] Web application question. [and 1 more messages]
Messages sorted by: [date] [thread] [subject] [author]

5 hours ago, Eli Barzilay wrote:
> That is completely incorrect.  There is nothing special about
> quasiquotes that makes them more resistant to injection over any kind
> of other templates. 

Pardon?

Now I'm curious. Xexprs *know* they're XML, so they escape normal
strings like you'd expect -- I assume that's what Harry meant.

For illustration, consider

(let ([user-supplied-input "<script http=\"nasty\">...</script>"])
  (xexpr->string
    `(html
       (body
         (p ,user-supplied-input)))))

The quasiquote expands into

(xexpr->string
 '(html
    (body
        (p "<script http=\"nasty\">...</script>"))))

And then the xexpr library knows to escape the string, so this
becomes:

<html><body><p>&lt;script http="nasty"&gt;...&lt;/script&gt;</p></body></html>

I guess you're making the point that quasiquotes in a
web-server/templates template doesn't protect against injection.

After all, the templates library doesn't explicitly escape
anything whereas xexpr does.

-- 
Take care,
    _mike

Posted on the users mailing list.

Previous message: [racket] Web application question. [and 1 more messages]
Next message: [racket] Web application question. [and 1 more messages]
Messages sorted by: [date] [thread] [subject] [author]