[racket] Web application question. [and 1 more messages]

From: Michael W (mwilber at uccs.edu)
Date: Fri Feb 3 15:26:26 EST 2012

5 hours ago, Eli Barzilay wrote:
> That is completely incorrect.  There is nothing special about
> quasiquotes that makes them more resistant to injection over any kind
> of other templates. 


Now I'm curious. Xexprs *know* they're XML, so they escape normal
strings like you'd expect -- I assume that's what Harry meant.

For illustration, consider

(let ([user-supplied-input "<script http=\"nasty\">...</script>"])
         (p ,user-supplied-input)))))

The quasiquote expands into

        (p "<script http=\"nasty\">...</script>"))))

And then the xexpr library knows to escape the string, so this

<html><body><p>&lt;script http="nasty"&gt;...&lt;/script&gt;</p></body></html>

I guess you're making the point that quasiquotes in a
web-server/templates template doesn't protect against injection.

After all, the templates library doesn't explicitly escape
anything whereas xexpr does.

Take care,

Posted on the users mailing list.