Monday, February 9, 2009

Defending against XSS attacks in Freemarker

While Freemarker is quite rich in features, it seems to lack support for programmatically declaring HTML-escaping the default behavior for property access. You need to either add a ?html to every access or wrap every single template into this:


<#escape x as x?html>
... your template code ...
</#escape>


This really has to be done on every file, including those being included such as macro definitions.

Both approaches rely on people remembering to do the right thing, and I don't trust anyone that much, particularly not myself. So instead I decided to add this bit of wrapper code programmatically in the code that loads the template. I took the idea from a posting on the freemarker-user mailing list. Instead of using the normal ClassTemplateLoader, I now do this:


final TemplateLoader templateLoader = new ClassTemplateLoader(this.getClass(), templatePath){
@Override
public Reader getReader(Object templateSource, String encoding) throws IOException {
return new WrappingReader(super.getReader(templateSource, encoding), "<#escape x as x?html>", "");
}
};
configuration.setTemplateLoader(templateLoader);


This uses the following class:


package domain.your.util;

import java.io.IOException;
import java.io.Reader;
import java.util.logging.Level;
import java.util.logging.Logger;

public class WrappingReader extends Reader {

private final Reader originalReader;
private final char[] prologue;
private final char[] epilogue;
private int pos = 0;
private int firstEpilogueChar = -1;
private boolean closed = false;

public WrappingReader(Reader originalReader, char[] prologue, char[] epilogue, Object lock) {
super(lock);
this.originalReader = originalReader;
this.prologue = prologue;
this.epilogue = epilogue;
}

public WrappingReader(Reader originalReader, char[] prologue, char[] epilogue) {
this.originalReader = originalReader;
this.prologue = prologue;
this.epilogue = epilogue;
}

public WrappingReader(Reader originalReader, String prologue, String epilogue, Object lock) {
super(lock);
this.originalReader = originalReader;
this.prologue = prologue.toCharArray();
this.epilogue = epilogue.toCharArray();
}

public WrappingReader(Reader originalReader, String prologue, String epilogue) {
this.originalReader = originalReader;
this.prologue = prologue.toCharArray();
this.epilogue = epilogue.toCharArray();
}

@Override
public int read(char[] cbuf, int off, int len) throws IOException {
if (closed) {
throw new IOException("Reader has been closed already");
}
int oldPos = pos;
Logger.getLogger(getClass().getName()).log(Level.FINE, String.format("Reading %d characters from position %d", len, pos));
if (pos < this.prologue.length) {
final int toCopy = Math.min(this.prologue.length - pos, len);
Logger.getLogger(getClass().getName()).log(Level.FINE, String.format("Copying %d characters from prologue", toCopy));
System.arraycopy(this.prologue, pos, cbuf, off, toCopy);
pos += toCopy;
if (toCopy == len) {
Logger.getLogger(getClass().getName()).log(Level.FINE, "Copied from prologue only");
return len;
}
}
if (firstEpilogueChar == -1) {
final int copiedSoFar = pos - oldPos;
final int read = originalReader.read(cbuf, off + copiedSoFar, len - copiedSoFar);
Logger.getLogger(getClass().getName()).log(Level.FINE, String.format("Got %d characters from delegate", read));
if (read != -1) {
pos += read;
if (pos - oldPos == len) {
Logger.getLogger(getClass().getName()).log(Level.FINE, "We do not reach epilogue");
return len;
}
}
firstEpilogueChar = pos;
}
final int copiedSoFar = pos - oldPos;
final int epiloguePos = pos - firstEpilogueChar;
final int toCopy = Math.min(this.epilogue.length - epiloguePos, len - copiedSoFar);
if((toCopy <= 0) && (copiedSoFar == 0)) {
return -1;
}
Logger.getLogger(getClass().getName()).log(Level.FINE, String.format("Copying %d characters from epilogue", toCopy));
System.arraycopy(this.epilogue, epiloguePos, cbuf, off + copiedSoFar, toCopy);
pos += toCopy;
Logger.getLogger(getClass().getName()).log(Level.FINE, String.format("Copied %d characters, now at position %d", pos-oldPos, pos));
return pos - oldPos;
}

@Override
public void close() throws IOException {
originalReader.close();
closed = true;
}
}


Note that this means that in some cases you might need to escape the escaping, which Freemarker allows with the <#noescape> directive. You also can't use template configuration via the <#ftl> directive anymore, since that would need to be before the <#escape>. Since I never felt the urge to use it, I don't care.

55 comments:

Elizabeth J. Neal said...

hi was just seeing if you minded a comment. i like your website and the thme you picked is super. I will be back. Pflegezusatzversicherung

saranya said...

Nice post. By reading your blog, i get inspired and this provides some useful information. Thank you for posting this exclusive post for our vision. 
python training Course in chennai
python training in Bangalore
Python training institute in bangalore

jai said...

Well somehow I got to read lots of articles on your blog. It’s amazing how interesting it is for me to visit you very often.
Data Science training in Chennai
Data science training in Bangalore
Data science training in pune
Data science online training
Data Science Interview questions and answers
Data Science Tutorial

jeeva said...

I appreciate your efforts because it conveys the message of what you are trying to say. It's a great skill to make even the person who doesn't know about the subject could able to understand the subject . Your blogs are understandable and also elaborately described. I hope to read more and more interesting articles from your blog.
rpa training in bangalore
best rpa training in bangalore
rpa training in pune | rpa course in bangalore
rpa training in chennai

rohini said...

Awesome article. It is so detailed and well formatted that i enjoyed reading it as well as get some new information too.
Best Devops Training in pune
Devops Training in Bangalore
Microsoft azure training in Bangalore
Power bi training in Chennai

diya shivanya said...

This is good information and really helpful for the people who need information about this.
Blockchain Training in Chennai
Blockchain Training Institutes in Chennai
german classes
Best IELTS Coaching in Chennai
learn Japanese in Chennai
Best Spoken English Class in Chennai
Blockchain Training in OMR
Blockchain Training in Porur 

Tech News said...

Good Article
devops training in bangalore
hadoop training in bangalore
iot training in bangalore
machine learning training in bangalore
uipath training in bangalore

Bala said...

Very valuable post...! This information shared is helpful to improve my knowledge skill. Thank you...!
Oracle Training in Chennai
Oracle Certification in Chennai
Tableau Training in Chennai
Oracle DBA Training in Chennai
Linux Training in Chennai
Advanced Excel Training in Chennai
Unix Training in Chennai
Power BI Training in Chennai
Oracle Training in Tambaram
Oracle Training in Thiruvanmiyur

sasi said...

I have to agree with everything in this post. Thanks for useful sharing information.
PHP Training in Chennai
PHP Training in bangalore
php training in coimbatore
PHP Course in Chennai
php Course in madurai
PHP Training Institute in Chennai
php training institute in bangalore
dot net training institutes in bangalore

Anna Schafer said...

This type of message always inspiring and I prefer to read quality content, so happy to find good place to many here in the post, the writing is just great, thanks for the post. Homepage

Herbert M. Reed said...

Thanks for the nice blog. It was very useful for me. I'm happy I found this blog. Thank you for sharing with us,I too always learn something new from your post. read this article

Data science training in mumbai said...

Data Science is the future of Artificial Intelligence. Therefore, it is very important to understand what is Data Science and how can it add value to your business.
Data Science Training in Mumbai which includes classroom and online training. Along with Classroom training, we also conduct online training using state-of-the-art technologies to ensure the wonderful experience of online interactive learning. Data Science Training

Durai Moorthy said...

Nice blog, this blog provide the more information. Thank you so much for sharing with us.
aws Training in Bangalore
python Training in Bangalore
hadoop Training in Bangalore
angular js Training in Bangalore
bigdata analytics Training in Bangalore
python Training in Bangalore
aws Training in Bangalore

Rajesh Anbu said...

Really nice post. Thank you for sharing amazing information.
aws Training in Bangalore
python Training in Bangalore
hadoop Training in Bangalore
angular js Training in Bangalore
bigdata analytics Training in Bangalore
python Training in Bangalore
aws Training in Bangalore

shalini said...
This comment has been removed by the author.
shalini said...

I got some clear information from this blog.. Thanks for taking a time to share this blog...
AWS Training in Chennai
AWS Training in Bangalore
AWS Training in Coimbatore
AWS Training in Hyderabad
AWS Training Institutes in Bangalore
AWS Training in BTM
AWS Course in Bangalore
AWS Training Institutes in Bangalore
Spoken English Classes in Bangalore
Data Science Courses in Bangalore

datasciencecourse said...

I am impressed by the information that you have on this blog. It shows how well you understand this subject.

data science course

nisha said...

Valuable Post.

Data Science Training Course In Chennai | Data Science Training Course In Anna Nagar | Data Science Training Course In OMR | Data Science Training Course In Porur | Data Science Training Course In Tambaram | Data Science Training Course In Velachery

rocky said...

very informative content in your blog.
Python Training in Chennai | Certification | Online Training Course | Python Training in Bangalore | Certification | Online Training Course | Python Training in Hyderabad | Certification | Online Training Course | Python Training in Coimbatore | Certification | Online Training Course | Python Training in Online | Python Certification Training Course

devi said...

Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article.Great Article. Thank you for sharing! Really an awesome post for every one.
Data Science Training In Chennai | Certification | Data Science Courses in Chennai | Data Science Training In Bangalore | Certification | Data Science Courses in Bangalore | Data Science Training In Hyderabad | Certification | Data Science Courses in hyderabad | Data Science Training In Coimbatore | Certification | Data Science Courses in Coimbatore | Data Science Training | Certification | Data Science Online Training Course

Aishu said...

The blog gives more information about the training and career, its useful to enhance my skills and knowledge.
IELTS training in chennai

German Classes in Chennai

GRE Coaching Classes in Chennai

TOEFL Coaching in Chennai

spoken english classes in chennai | Communication training

EXCELR said...

Thanks for sharing great information. I like your blog and highly recommendData Science Training in Hyderabad

Jayalakshmi said...

You have done a good research on this topic.
Great Work.
hadoop training in chennai

hadoop training in tambaram

salesforce training in chennai

salesforce training in tambaram

c and c plus plus course in chennai

c and c plus plus course in tambaram

machine learning training in chennai

machine learning training in tambaram

jeni said...

Wow, amazing weblog format! How lengthy have you been running a blog for? you make running a blog look easy. The total glance of your website is wonderful, let alone the content!

angular js training in chennai

angular js training in velachery

full stack training in chennai

full stack training in velachery

php training in chennai

php training in velachery

photoshop training in chennai

photoshop training in velachery

shiny said...

This is good information and really helpful for the people who need information about this.



hadoop training in chennai

hadoop training in annanagar

salesforce training in chennai

salesforce training in annanagar

c and c plus plus course in chennai

c and c plus plus course in annanagar

machine learning training in chennai

machine learning training in annanagar

datasciencecourse said...

Really nice and interesting post. I was looking for this kind of information and enjoyed reading this one. Keep posting. Thanks for sharing.

Simple Linear Regression

Correlation vs covariance

KNN Algorithm

hema said...
This comment has been removed by the author.
hema said...

It was good explanation and wonderful content. Keep posting..https://www.learnovita.com/web-designing-training-in-chennai

Web design Training in Chennai

Web design Training in Velachery

Web design Training in Tambaram

Web design Training in Porur

Web design Training in Omr
Web design Training in Annanagar

technology said...

The evaluation of the test is that if you communicate to an artificial intelligence and along the process you forget to remember that it is actually a computing system and not a person, then the system passes the test data science course in india

Huongkv said...

Mua vé tại Aivivu, tham khảo

thông tin chuyến bay từ singapore về hà nội

vé máy bay từ vinh đến sài gòn

vé máy bay cần thơ ra hà nội

vietnam airlines nha trang

vé máy bay hồ chí minh quy nhơn

Edison hope said...


Very interesting blog. A lot of the blogs I visit nowadays don't really provide anything that I'm interested in, but I'm definitely interested in this one Turkish e Visa is an electronic visa Turkey that allows entry into Turkey. Once available, eligible foreign will be able to complete the online application process without visiting an embassy or consulate.

Eliza Beth said...

Wow, ich kann sagen, dass dies ein weiterer großartiger Artikel ist, wie von diesem Blog erwartet. hyazinthe pflege

Mallela said...

Thanks for posting the best information and the blog.data science course in Lucknow

Tom said...

Thank you The foreign visitors need to apply for evisa kenya online. That offers them fast and secure visa services. You also can check the al information regarding to visa here to get in the Kenya.

Eliaz Beth said...

Es ist eine großartige Website.. Das Design sieht sehr gut aus.. Weiter so!. Saunen und Bäder in Ihrer Nähe

James said...

Thanks for sharing this information. Foreign travelers who want a tourist visa India can now apply for a visa online.

isabella said...

Thanks for all you do. I like the website themes and layout, you are posting amazing blogs.... (Overseas Citizenship Of India Services) OCI card application online process. You can apply for an OCI card online and you can read all the info related to OCI(Overseas Citizenship Of India Services) card via the Indian visa website.

Data Science said...

Extremely overall quite fascinating post. I was searching for this sort of data and delighted in perusing this one.
Continue posting. A debt of gratitude is in order for sharing.
data scientist course in warangal

Unknown said...

I am really bad at remembering to pin articles I liked or were helpful
but I do have a board started.
Pakistani Drama Website

Unknown said...

As what is good for the gander is good for the goose, why not let good old Ephraim Inoni benefit from this
very same largesse? His account published a few days ago should pay off his debt without much loss of sleep.
SEO Firm Chicago
Digital Evrima

Unknown said...

Thanks a lot for this awesome post.
lederjacke damen
leather jacket

Unknown said...

Keep up the good work. I’ll be coming back lots.
wedding photography packages
wedding photography

Unknown said...

I wish more writers of this sort of substance would take the time you did to explore and compose so well. I am exceptionally awed with your vision and knowledge. business analytics course in kanpur

Anonymous said...

Great man. Nice to read your helpful blog . Saudi Arabia tourism is very popular. Saudi Arabia visa tourist Is one of most demanding travel visas in the world . Saudi Arabia is a very good place to visit . Al Ula is one of the best-known destinations in Saudi Arabia .It Also included in the top 20 most visited countries in the world.

Noah Ava said...

I am sure this article has impressed all internet users, it is a really great article.. You can come to India but you will need a visa. You can apply online visa for India. You can read all the info about Indian visas via our website.

Links For You said...

It might maintain to come into the dispensation into it and prepare the music to run. It gives you full convenience for data from one records site. Rekordbox Crack

jahanzaib33 said...

Happy Birthday To My Wife. You dazzle me. I am so happy we get to share this crazy, beautiful life together. I love you.Happy Birthday To Wife

Silent Girl said...

The Internet has known us huge opportunities for being more organized, for socializing easily. This priceless threat data give us unbelievable insight into what’s occurrence at the present. Malwarebytes License Key

Mudassara Shahzad said...



Thanks for letting me know about this great post. I'm glad to have found this article.
Propellerhead

saipdf said...

Nice post thanks for sharing
Sai Satcharitra Pdf
Sai Satcharitra Telugu Pdf
Sai Satcharitra Tamil Pdf

Henry Evelyn said...

EU Transforms Schengen Visa Application Process to Fully Digital Platform , making it easier and faster for travellers to apply for visas. The new system, called the European Travel Information and Authorization System (ETIAS), will allow travellers to apply for visas online, submit supporting documents digitally and receive electronic visas via email. This new system is designed to streamline the application process and reduce wait times.

Rupesh Kumar said...

very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article. Looking for the best English speaking course in Riyadh? Enhance your language skills with Ziyyara’s tailored online English classes in Saudi Arabia.
For more info visit Spoken English Classes in Saudi Arabia or Call +971505593798

MNK said...

Interesting article!

Regards,
BroadMind - IELTS coaching in Chennai

alex said...

Your blog post is a literary gem! The eloquence of your prose and the depth of your insights create an immersive reading experience. The way you navigate complex topics with clarity and finesse is truly admirable. Each word feels purposeful, inviting readers to reflect and engage. Looking forward to more enlightening posts that continue to blend intellect with an engaging narrative. I want to share some information with you Securing a Turkish visa for Indians is typically uncomplicated. The process involves submitting necessary documents such as a valid passport, completed application form, flight itinerary, and hotel reservation. Adequate preparation ensures a hassle-free experience, making the question is Turkish visa easy for Indians? affirmative, encouraging individuals to embark on a seamless journey to explore Turkey's cultural wonders.

william said...

In your blog post, you embark on a captivating literary journey that effortlessly traverses the realms of intellect and emotion. The seamless blend of profound insights and relatable anecdotes is truly remarkable. Do Australians need a visa to visit Vietnam? Yes, Australians need an eVisa to visit Vietnam. This electronic visa allows entry for tourism, business, or transit purposes. The application process involves submitting required documents online and paying the associated fee before traveling to Vietnam.