GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → mikesamuel → html-contextual-autoescaper-java

mikesamuel / html-contextual-autoescaper-java

Licence: other
Prevents XSS by figuring out how to escape untrusted values in templates

Programming Languages

python
139335 projects - #7 most used programming language
java
68154 projects - #9 most used programming language
shell
77523 projects

Labels

template-enginexsssecurity-hardening

Projects that are alternatives of or similar to html-contextual-autoescaper-java

Latte
☕ Latte: the intuitive and fast template engine for those who want the most secure PHP sites.
Stars: ✭ 616 (+4006.67%)
Mutual labels:  template-engine, xss
Xss Listener
🕷️ XSS Listener is a penetration tool for easy to steal data with various XSS.
Stars: ✭ 414 (+2660%)
Mutual labels:  xss, security-hardening
Sodajs
Light weight but powerful template engine for JavaScript
Stars: ✭ 240 (+1500%)
Mutual labels:  template-engine
RHEL8-STIG
Ansible role for Red Hat 8 STIG Baseline
Stars: ✭ 73 (+386.67%)
Mutual labels:  security-hardening
cve-2016-1764
Extraction of iMessage Data via XSS
Stars: ✭ 52 (+246.67%)
Mutual labels:  xss
Jade
Jade.go - pug template engine for Go (golang)
Stars: ✭ 251 (+1573.33%)
Mutual labels:  template-engine
lua-template
The simplest Lua template engine
Stars: ✭ 33 (+120%)
Mutual labels:  template-engine
Himl
HTML-based Indented Markup Language for Ruby
Stars: ✭ 236 (+1473.33%)
Mutual labels:  template-engine
cd
CloudDefense.ai is an automated web application security testing tool that audits your web applications by checking for vulnerabilities like SQL Injection, Cross-site scripting and other exploitable vulnerabilities.
Stars: ✭ 33 (+120%)
Mutual labels:  xss
picocog
A tiny code generation library (< 8 KB) written in Java, useful for any purpose, but ideal for JSR-269
Stars: ✭ 82 (+446.67%)
Mutual labels:  template-engine
CodegenCS
C# Toolkit for Code Generation (T4 alternative!)
Stars: ✭ 119 (+693.33%)
Mutual labels:  template-engine
abell-renderer
A template engine that lets you write variables, loops, and conditions in HTML using JavaScript Syntax.
Stars: ✭ 42 (+180%)
Mutual labels:  template-engine
sempare-delphi-template-engine
Sempare Template Engine for Delphi allows for flexible dynamic text generation. It can be used for generating email, html, source code, xml, configuration, etc.
Stars: ✭ 79 (+426.67%)
Mutual labels:  template-engine
Kvantum
An intellectual (HTTP/HTTPS) web server with support for server side templating (Crush, Apache Velocity and JTwig)
Stars: ✭ 17 (+13.33%)
Mutual labels:  template-engine
Sailfish
Simple, small, and extremely fast template engine for Rust
Stars: ✭ 242 (+1513.33%)
Mutual labels:  template-engine
tale-pug
Tale Pug is the popular JavaScript Template Engine Pug, formerly Jade, for PHP!
Stars: ✭ 32 (+113.33%)
Mutual labels:  template-engine
Eta
Embedded JS template engine for Node, Deno, and the browser. Lighweight, fast, and pluggable. Written in TypeScript
Stars: ✭ 233 (+1453.33%)
Mutual labels:  template-engine
UBUNTU20-CIS
Ansible role for Ubuntu 2004 CIS Baseline
Stars: ✭ 136 (+806.67%)
Mutual labels:  security-hardening
liquid
A Python engine for the Liquid template language.
Stars: ✭ 40 (+166.67%)
Mutual labels:  template-engine
Wordlist404
Small but effective wordlist for brute-forcing and discovering hidden things.
Stars: ✭ 101 (+573.33%)
Mutual labels:  xss
View All Similar Projects ➔

A runtime contextual autoescaper written in Java.

This provides a writer-like object that provides two methods:

  writeSafe(String)
  write(Object)

so that the sequence of calls

 w.writeSafe("<b>");
 w.write("I <3 Ponies!");
 w.writeSafe("</b>\n<button onclick=foo(");
 w.writeObject(ImmutableMap.<String, Object>of(
     "foo", "bar", "\"baz\"", 42));
 w.writeSafe(")>");

results in the output

  <b>I &lt;3 Ponies!</b>
  <button onclick="foo({&#34;foo&#34;:&#34;\x22bar\x22&#34;:42})">

The safe parts are treated as literal chunks of HTML/CSS/JS, and the unsafe parts are escaped to preserve security and least-surprise.

For a more comprehensive example, a template like

<div style="color: <%=$self.color%>">
  <a href="/<%=$self.color%>?q=<%=$self.world%>"
   onclick="alert('<% helper($self) %>');return false">
    <% helper($self) %>
  </a>
  <script>(function () {  // Sleepy developers put sensitive info in comments.
    var o = <%=$self>,
        w = "<%=$self.world%>";
  })();</script>
</div>

<% def helper($self) {
  %>Hello, <%=$self.world%>
<%}%>

might correspond to the sequence of calls

 // Dummy input values.
 Map $self = ImmutableMap.<String, Object>of(
     "world", "<Cincinatti>", "color", "blue");
 Object color = self.get("color"), world = self.get("world");
 // Alternating safe and unsafe writes that implement the template.
 w.writeSafe("<div style=\"color: ");
 w.write    (color);
 w.writeSafe("\">\n<a href=\"/");
 w.write    (color);
 w.writeSafe("?q=");
 w.write    (world);
 w.writeSafe("\"\n  onclick=\"alert('");
 helper     (w, $self);
 w.writeSafe("');return false\">\n    ");
 helper     (w, $self);
 w.writeSafe("\n  </a>\n  <script>(function () {\n    var o = ");
 w.write    ($self);
 w.writeSafe(",\n        w = \"");
 w.write    (world);
 w.writeSafe("\";\n  })();</script>\n</div>");

which result in the output

<div style="color: blue">
  <a href="/blue?q=%3cCincinatti%3e"
   onclick="alert('Hello, \x3cCincinatti\x3e!');return false">
    Hello, <Cincinatti>!
  </a>
  <script>(function () {
    var o = {"Color":"blue","World":"\u003cCincinatti\u003e"},
        w = "\x26lt;Cincinatti\x26gt;";
  })();</script>
</div>
Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].