angular translate sanitize / escape - javascript

I got a strange or maybe intended behavior with angular translate.
Our value strategie is
$translateProvider.useSanitizeValueStrategy('sanitize');
We use mostly the translate filter in our application, but when it comes to special characters we get for example instead of Überschrift something like &#220 ;berschrift.
If I use the directive it works.
If I use the filter this only works when the sanitize strategy is set to "escaped".
Is there another solution than to rewrite ALL the translation filters to directives?
Here is my plnkr http://plnkr.co/edit/QIMVQcyH5APeYxNnS82v
For your information,
I can't simply use the "escaped" strategy, because we use angular translate variables as well and these variables contain sometimes even html tags.
Thanks!

Use sanitizeParameters instead of sanitize. Here is the fixed plnkr: http://plnkr.co/edit/qicVqPXn3qo6hMNa1fY2?p=preview
(EDIT: 07/10/2016): There is a significant difference between the two sanitization strategies. sanitizeParameters sanitizes the interpolation parameters and not the translated output. That means that it doesn't allow for changes in those parameters, but the translated content is still vulnerable since it's not sanitized.
The problem with sanitize and UTF-8 characters is a known issue and I believe it's being worked on.

$translateProvider.useSanitizeValueStrategy(['escape', 'sanitizeParameters']);
This works for my project. I hope this is secure enough.
Source: https://stackoverflow.com/a/39118996/9798484

Related

How to handle sanitizing in JavaScript editors that allow formatting

Many editors like Medium offers formatting now. From what I see in the DOM it simply adds HTML. But how do you sanitize this kind of input without losing the formatting applied by the user?
E.g. clicking bold adds:
<strong class="markup--strong markup--p-strong">text</strong>
but you wouldn't want to render if the user enters that by themselves. So how's that different? Also would that be different if you would style with markdown but also don't let users enter their own markdown but make it only accessible through the browser?
One way I could think of is, escaping every HTML special character, but that seems odd. As far as I know you sanitizer the content only when outputting it
You shold use a server side sanitizer, as stated by Vipin as client side validation is prone to be tampered.
OWASP (Open Web Application Security Project) has some guides and sanitizers that you may use like the java-html-sanitizer.
For a generic brief on the concept please read this https://www.owasp.org/index.php/Data_Validation under the section Sanitize.
You could replace the white-listed elements with other character, for example:
<strong.*> becomes |strong|
Then you remove ALL other HTML. Be aware of onmouseover="alert(1)" so keep it really simple.
Also be careful when rendering the user input. Don't just add it as code. Instead parse it and create the elements using JavaScript. Never use innerHTML, but do use .innerText and document.createElement().

How to change the don't-escape HTML delimiter in Mustache.js

I know I can change the default delimiter using Mustache.tags('[[', ']]');
I dig into the source code, but I can't find and figure out how to change the don't-escape HTML delimiter, which is {{{ }}} by default. Any help is appreciated.
I believe your question is how to turn off the default html entity escaping behaviour of a mustache template when you have specified custom delimiters. This can be a bit confusing since the default behaviour, that you will see if you look this up, is to use triple braces such as {{{some-value}}}. I'm going to assume you mean from a users point of view and not a developers point of view - despite the reference to the source code.
There are two ways:
Mustache provides an alternative syntax for turning off HTML escaping using the & character. So with your custom delimiters of '[[' and ']]' you would specify your placeholder as
[[&some-value]]
Simply use '{ }' within your custom delimiters. E.g.
[[{some-value}]]
I don't believe there is any way to change either of these inner syntaxes. Some templating systems are a lot more flexible (e.g. doT uses regexes for all matching), but mustache is less flexible (which many will see as an advantage)
Hope that clears things up. I know this is an old question, but perhaps this might still
help you or anyone else also looking this up.
Changing don't-escape HTML delimiter is only possible by modifying the source, because it's hardcoded into the parser and defined as openingTag + "{" and "}" + closingTag. And with hardcoded I mean, that you'd possibly have to change logic, not just a (few) regex. Thanks to #Thomas to dedicate his time for me.

How do i avoid eval() from converting 1e-1 to 0.1?

I'm using a thrid party javascript library that uses eval() so when i call one of it's functions with the "1e-1" value as a parameter i get 0.1 returned. How can i escape this or avoid it from parsing the number?
A basic example would be:
console.log(eval("1e-1"));
I want the result to be 1e-1, but eval still needs to be there.
EDIT:
Okay Ignore the console example above
THIS is the example it should work on:
There is no way around using this library. Sorry.
Dont use eval(). Of course, Number("1e-1") has the same "problem". However, if you want a string back from eval you have to feed it with one: eval("'1e-1'").
One quick way to do this is to simply replace the hyphen with it's Character Entity code instead:
console.log(eval("1e-1"));
Update
After experimenting for quite a while, the only thing that was close is placing spaces before and after the hyphen:
features[1].attributes.tag= "1e - 1";
I thought it worth mentioning incase this will suffice for what you need.

Parsing Custom JavaScript Annotations

Implementing a large JavaScript application with a lot of scripts, its become necessary to put together a build script. JavaScript labels being ubiquitous, I've decided to use them as annotations for a custom script collator. So far, I'm just employing the use statement, like this:
use: com.example.Class;
However, I want to support an 'optional quotes' syntax, so the following would be parsed correctly as well
use: 'com.example.Class';
I'm currently using this pattern to parse the first form:
/\s*use:\s*(\S+);\s*/g
The '\S+' gloms all characters between the annotation name declaration and the terminating semi colon. What rule can I write to substitute for \S+ that will return an annotation value without quotes, no matter if it was quoted or not to begin with? I can do it in two steps, but I want to do it in one.
Thanks- I know I've put this a little awkwardly
Edit 1.
I've been able to use this, but IMHO its a mess- any more elegant solutions? (By the way, this one will parse ALL label names)
/\s*([a-z]+):\s*(?:['])([a-zA-Z0-9_.]+)(?:['])|([a-zA-Z0-9_.]+);/g
Edit 2.
The logic is the same, but expresses a little more succinctly. However, it poses a problem as it seems to pull in all sorts of javascript code as well.
/\s*([a-z]+):\s*'([\w_\.]+)'|([\w_\.]+);/g
Ok -this seemed to do it. Hope someone can improve on it.
/\s*([a-z]+): *('[\w_\/\.]+'|[\w_\/\.]+);/g

nested quotes in javascript

A bit of a noob question here...
I have a javascript function on a list of table rows
<tr onclick="ClosePopup('{ScenarioID}', '{Name}');" />
However, the {Name} value can sometimes contain the character "'" (single quote). At the moment the error Expected: ')' comes up as a result because it is effectivly ending the javascript function early and destroying the syntax.
What is the best way to prohibit the single quotes in {Name} value from effecting the javascript?
Cheers!
You're committing the first mortal sin of insecure web template programming - not escaping the content of the values being rendered into the template. I can almost guarantee you that if you take that approach, your web app will be vulnerable to XSS (cross site scripting) and any third party will be able to run custom javascript in your page, stealing user data and wreaking havoc as they wish.
Check it out. http://en.wikipedia.org/wiki/Cross-site_scripting
The solution is to escape the content. And to do that properly in the javascript, which is also inside html, is a lot more than just putting escape sequences in front of backslashes.
Any decent templating engine out there should provide you a way to escape content as it's written to the template. Your database values can be left as-is, the important part is escaping it at output time. If your template engine or dynamic web app framework doesn't allow for this, change to one that does. :)
In support of the prior comment please read the following to gain a better understanding of why the security advice is so important.
http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_web_based_attacks_03-2009.en-us.pdf
I would think that you could kill just about any code injection by, for example, replacing
"Hello"
with
String.fromCharCode(72,101,108,108,111)
Although the security information provided by everyone is very valuable, it was not so relevant to me in this situation as everything in this instance is clientside, security measures are applied when getting the data and rendering the XML. The page is also protected through windows authentication (adminsitration section only) and the web app framework cannot be changed. The answer i was looking for was really quite simple in the end.
<tr onclick='ClosePopup("{ScenarioID}", "{Name}");' />

Categories

Resources