Discussion:
the template tags and their default safe contexts
Haluk Karamete
2014-02-16 19:49:42 UTC
Permalink
Right off the bat, I'd like to express that this post of mine is not a
criticism of the current system, whatsoever. I know security is a complex
matter.
I'm only trying to get the hang of the issue I will be trying to point out
below to pick your brains for ideas. That's all there is to it.

Having said that... here we go.

To make my point, I will just pick the template tag the_title().

The the_title() outputs the title.

And it's very easy to learn this fact, thanks to the codex and the
countless articles that are out there.

Since it's a WordPress core function, it's also pretty human to think that
it should be safe to use it is as is. At least, I would not blame the many
who think so, from the get-go.

But the fact of the matter is HTML is a complex thing. And dealing with XSS
or simply writing valid HTML is even more complex. And most people can
easily get lost in this.

Take a look a this piece for instance...

It uses the_title() in a straightforward HTML.

<a href="#" title="<?php the_title(); ?>"><?php the_title(); ?></a>

The question is - Is it safe?

Obviously not...

Well, it is %50 secure. :)

The part within the HTML context ( which will eventually be falling in
between > and < ) is fine but the attribute part ( which will be falling
into title=" and " ) is not.

The the_title() call within the title attribute above is like a military
mines which is waiting to detonate for the wrong title.

Considering so many different contexts, and some many template_tags and so
many esc_ functions, and millions of people out there, what do we do? or
should do?

And what do you guys do to sort this kind of matters when writing your own
template files that outputs stuff? What handle or conventions do you use?

obviously, we do not have
the_title_js()
the_title_attr() and
the_title_html() versions for each and every template tag - which would
follow the esc_API context conventions in a one to one fashion ) as Mark
demonstrates here->
http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/

I do know the fact that here, we have "the_title_attribute()" available to
us, but hey, you just have to know that.

What if, I needed to use the the_title() within a javascript context as
below. Which way do I go about it - and how do I know which one would be
allright?
Stackoverflow it?

<Script>
$the_title = '<?php the_title();?>';
$the_title = '<?php esc_js(the_title());?>';
$the_title = '<?php the_title_attribute();?>';
$the_title = '<?php esc_js(the_title_attribute());?>';
</script>

Is the only way to sort this out to know each-and-every-template_tag and
their safe output contexts? Or are there tips or conventions you guys use
to sort these things in a convenient way?

I'm just curious.
Nikola Nikolov
2014-02-16 20:24:57 UTC
Permalink
Hi Haluk,

I see your point there and I guess that it's a matter of experience and
being aware of things.
Like being aware, that using the_title() is not safe to use within HTML
attribute values. And to know that you should instead use esc_attr(
get_the_title() ) - note the use of get_the_title() - using just
the_title() won't work, since it will output it and not return it :)

If you are aware of the escaping functions and in which cases they should
be used, then that should give you a pretty good start. For instance if you
want to escape text that will go in a textarea, you use esc_textarea().

The best thing to do in my opinion when writing a theme or a plugin
template is to use the correct escaping methods. This way I think that
there are higher chances for the user to keep the escaping functions in
place even if they tweak something on the template.
Post by Haluk Karamete
Right off the bat, I'd like to express that this post of mine is not a
criticism of the current system, whatsoever. I know security is a complex
matter.
I'm only trying to get the hang of the issue I will be trying to point out
below to pick your brains for ideas. That's all there is to it.
Having said that... here we go.
To make my point, I will just pick the template tag the_title().
The the_title() outputs the title.
And it's very easy to learn this fact, thanks to the codex and the
countless articles that are out there.
Since it's a WordPress core function, it's also pretty human to think that
it should be safe to use it is as is. At least, I would not blame the many
who think so, from the get-go.
But the fact of the matter is HTML is a complex thing. And dealing with XSS
or simply writing valid HTML is even more complex. And most people can
easily get lost in this.
Take a look a this piece for instance...
It uses the_title() in a straightforward HTML.
<a href="#" title="<?php the_title(); ?>"><?php the_title(); ?></a>
The question is - Is it safe?
Obviously not...
Well, it is %50 secure. :)
The part within the HTML context ( which will eventually be falling in
between > and < ) is fine but the attribute part ( which will be falling
into title=" and " ) is not.
The the_title() call within the title attribute above is like a military
mines which is waiting to detonate for the wrong title.
Considering so many different contexts, and some many template_tags and so
many esc_ functions, and millions of people out there, what do we do? or
should do?
And what do you guys do to sort this kind of matters when writing your own
template files that outputs stuff? What handle or conventions do you use?
obviously, we do not have
the_title_js()
the_title_attr() and
the_title_html() versions for each and every template tag - which would
follow the esc_API context conventions in a one to one fashion ) as Mark
demonstrates here->
http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/
I do know the fact that here, we have "the_title_attribute()" available to
us, but hey, you just have to know that.
What if, I needed to use the the_title() within a javascript context as
below. Which way do I go about it - and how do I know which one would be
allright?
Stackoverflow it?
<Script>
$the_title = '<?php the_title();?>';
$the_title = '<?php esc_js(the_title());?>';
$the_title = '<?php the_title_attribute();?>';
$the_title = '<?php esc_js(the_title_attribute());?>';
</script>
Is the only way to sort this out to know each-and-every-template_tag and
their safe output contexts? Or are there tips or conventions you guys use
to sort these things in a convenient way?
I'm just curious.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Haluk Karamete
2014-02-17 15:08:50 UTC
Permalink
Nikola, thank you for your reply.
I think, it would be necessary to create a matrix. and keep it handy...
sort of like...

the template tag safe-in-HTML safe-in-JS safe-in-Attr
safe-in-Textarea safe-in-HREF etc...
------------------------------------------------------------------------------------------------------------------------------------------------------
the_title() TRUE FALSE FALSE FALSE
FALSE
Post by Nikola Nikolov
Hi Haluk,
I see your point there and I guess that it's a matter of experience and
being aware of things.
Like being aware, that using the_title() is not safe to use within HTML
attribute values. And to know that you should instead use esc_attr(
get_the_title() ) - note the use of get_the_title() - using just
the_title() won't work, since it will output it and not return it :)
If you are aware of the escaping functions and in which cases they should
be used, then that should give you a pretty good start. For instance if you
want to escape text that will go in a textarea, you use esc_textarea().
The best thing to do in my opinion when writing a theme or a plugin
template is to use the correct escaping methods. This way I think that
there are higher chances for the user to keep the escaping functions in
place even if they tweak something on the template.
Post by Haluk Karamete
Right off the bat, I'd like to express that this post of mine is not a
criticism of the current system, whatsoever. I know security is a complex
matter.
I'm only trying to get the hang of the issue I will be trying to point
out
Post by Haluk Karamete
below to pick your brains for ideas. That's all there is to it.
Having said that... here we go.
To make my point, I will just pick the template tag the_title().
The the_title() outputs the title.
And it's very easy to learn this fact, thanks to the codex and the
countless articles that are out there.
Since it's a WordPress core function, it's also pretty human to think
that
Post by Haluk Karamete
it should be safe to use it is as is. At least, I would not blame the
many
Post by Haluk Karamete
who think so, from the get-go.
But the fact of the matter is HTML is a complex thing. And dealing with
XSS
Post by Haluk Karamete
or simply writing valid HTML is even more complex. And most people can
easily get lost in this.
Take a look a this piece for instance...
It uses the_title() in a straightforward HTML.
<a href="#" title="<?php the_title(); ?>"><?php the_title(); ?></a>
The question is - Is it safe?
Obviously not...
Well, it is %50 secure. :)
The part within the HTML context ( which will eventually be falling in
between > and < ) is fine but the attribute part ( which will be falling
into title=" and " ) is not.
The the_title() call within the title attribute above is like a military
mines which is waiting to detonate for the wrong title.
Considering so many different contexts, and some many template_tags and
so
Post by Haluk Karamete
many esc_ functions, and millions of people out there, what do we do? or
should do?
And what do you guys do to sort this kind of matters when writing your
own
Post by Haluk Karamete
template files that outputs stuff? What handle or conventions do you use?
obviously, we do not have
the_title_js()
the_title_attr() and
the_title_html() versions for each and every template tag - which would
follow the esc_API context conventions in a one to one fashion ) as Mark
demonstrates here->
http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/
I do know the fact that here, we have "the_title_attribute()" available
to
Post by Haluk Karamete
us, but hey, you just have to know that.
What if, I needed to use the the_title() within a javascript context as
below. Which way do I go about it - and how do I know which one would be
allright?
Stackoverflow it?
<Script>
$the_title = '<?php the_title();?>';
$the_title = '<?php esc_js(the_title());?>';
$the_title = '<?php the_title_attribute();?>';
$the_title = '<?php esc_js(the_title_attribute());?>';
</script>
Is the only way to sort this out to know each-and-every-template_tag and
their safe output contexts? Or are there tips or conventions you guys use
to sort these things in a convenient way?
I'm just curious.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Nikola Nikolov
2014-02-17 18:17:08 UTC
Permalink
I guess that would be a good place to start. With suggestions what to use
in the context where it's not safe.
Post by Haluk Karamete
Nikola, thank you for your reply.
I think, it would be necessary to create a matrix. and keep it handy...
sort of like...
the template tag safe-in-HTML safe-in-JS safe-in-Attr
safe-in-Textarea safe-in-HREF etc...
------------------------------------------------------------------------------------------------------------------------------------------------------
the_title() TRUE FALSE FALSE FALSE
FALSE
Post by Nikola Nikolov
Hi Haluk,
I see your point there and I guess that it's a matter of experience and
being aware of things.
Like being aware, that using the_title() is not safe to use within HTML
attribute values. And to know that you should instead use esc_attr(
get_the_title() ) - note the use of get_the_title() - using just
the_title() won't work, since it will output it and not return it :)
If you are aware of the escaping functions and in which cases they should
be used, then that should give you a pretty good start. For instance if
you
Post by Nikola Nikolov
want to escape text that will go in a textarea, you use esc_textarea().
The best thing to do in my opinion when writing a theme or a plugin
template is to use the correct escaping methods. This way I think that
there are higher chances for the user to keep the escaping functions in
place even if they tweak something on the template.
Post by Haluk Karamete
Right off the bat, I'd like to express that this post of mine is not a
criticism of the current system, whatsoever. I know security is a
complex
Post by Nikola Nikolov
Post by Haluk Karamete
matter.
I'm only trying to get the hang of the issue I will be trying to point
out
Post by Haluk Karamete
below to pick your brains for ideas. That's all there is to it.
Having said that... here we go.
To make my point, I will just pick the template tag the_title().
The the_title() outputs the title.
And it's very easy to learn this fact, thanks to the codex and the
countless articles that are out there.
Since it's a WordPress core function, it's also pretty human to think
that
Post by Haluk Karamete
it should be safe to use it is as is. At least, I would not blame the
many
Post by Haluk Karamete
who think so, from the get-go.
But the fact of the matter is HTML is a complex thing. And dealing with
XSS
Post by Haluk Karamete
or simply writing valid HTML is even more complex. And most people can
easily get lost in this.
Take a look a this piece for instance...
It uses the_title() in a straightforward HTML.
<a href="#" title="<?php the_title(); ?>"><?php the_title(); ?></a>
The question is - Is it safe?
Obviously not...
Well, it is %50 secure. :)
The part within the HTML context ( which will eventually be falling in
between > and < ) is fine but the attribute part ( which will be
falling
Post by Nikola Nikolov
Post by Haluk Karamete
into title=" and " ) is not.
The the_title() call within the title attribute above is like a
military
Post by Nikola Nikolov
Post by Haluk Karamete
mines which is waiting to detonate for the wrong title.
Considering so many different contexts, and some many template_tags and
so
Post by Haluk Karamete
many esc_ functions, and millions of people out there, what do we do?
or
Post by Nikola Nikolov
Post by Haluk Karamete
should do?
And what do you guys do to sort this kind of matters when writing your
own
Post by Haluk Karamete
template files that outputs stuff? What handle or conventions do you
use?
Post by Nikola Nikolov
Post by Haluk Karamete
obviously, we do not have
the_title_js()
the_title_attr() and
the_title_html() versions for each and every template tag - which would
follow the esc_API context conventions in a one to one fashion ) as
Mark
Post by Nikola Nikolov
Post by Haluk Karamete
demonstrates here->
http://wordpress.tv/2011/01/29/mark-jaquith-theme-plugin-security/
I do know the fact that here, we have "the_title_attribute()" available
to
Post by Haluk Karamete
us, but hey, you just have to know that.
What if, I needed to use the the_title() within a javascript context as
below. Which way do I go about it - and how do I know which one would
be
Post by Nikola Nikolov
Post by Haluk Karamete
allright?
Stackoverflow it?
<Script>
$the_title = '<?php the_title();?>';
$the_title = '<?php esc_js(the_title());?>';
$the_title = '<?php the_title_attribute();?>';
$the_title = '<?php esc_js(the_title_attribute());?>';
</script>
Is the only way to sort this out to know each-and-every-template_tag
and
Post by Nikola Nikolov
Post by Haluk Karamete
their safe output contexts? Or are there tips or conventions you guys
use
Post by Nikola Nikolov
Post by Haluk Karamete
to sort these things in a convenient way?
I'm just curious.
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
_______________________________________________
wp-hackers mailing list
http://lists.automattic.com/mailman/listinfo/wp-hackers
Loading...