rainbownapkin/canopy
1
0
Fork 0
Code Issues 2 Pull requests Actions Packages Projects Releases Wiki Activity

Improve web-page templating sanitization. #188

New issue
Closed
opened 2025-10-16 05:54:42 -04:00 by rainbownapkin · 1 comment
rainbownapkin commented 2025-10-16 05:54:42 -04:00
Owner
Copy link

Current EJS templates rely on input sanitization keep them safe. While we do trust the server to sanitize data before ingesting it, especially in cases in-which the data is saved to the DB, it would be safer to ensure we safely inject the data into the template no matter what.

We should replace uses of the <%- with the <%= tag where possible, un-escaping HTML entities before-hand to ensure sanitized data displays properly, as <%= expects unsafe data using validator.unescape(). This falls in-line with our method of injecting data on the client-side using JS, in which data is un-escaped with utils.ux.unescape() and injected safely using the node.innerText property.

Current EJS templates rely on input sanitization keep them safe. While we *do* trust the server to sanitize data before ingesting it, especially in cases in-which the data is saved to the DB, it would be safer to ensure we safely inject the data into the template no matter what. We should replace uses of the `<%-` with the `<%=` tag where possible, un-escaping HTML entities before-hand to ensure sanitized data displays properly, as `<%=` expects unsafe data using `validator.unescape()`. This falls in-line with our method of injecting data on the client-side using JS, in which data is un-escaped with `utils.ux.unescape()` and injected safely using the `node.innerText` property.
rainbownapkin added the
Cleanup/Refactor
Security Improvement
 labels 2025-10-16 05:54:53 -04:00
rainbownapkin added this to the Canopy v0.4-Indev milestone 2025-10-16 05:54:57 -04:00
rainbownapkin added a new dependency 2025-10-16 05:55:17 -04:00
#164 Tweaks and Fixes
rainbownapkin commented 2025-11-04 06:11:49 -05:00
Author
Owner
Copy link

Improved sanitization for server-side templating: 08fe051269

Improved sanitization for server-side templating: 08fe051269
rainbownapkin changed title from Improve web-page templating sanatization. to Improve web-page templating sanitization. 2025-11-04 06:12:00 -05:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
dev
0.4-indev-hotfix-3
0.4-indev-hotfix-2
0.4-indev-hotfix-1
0.4-indev
0.3-indev-hotfix-1
0.3-indev
verbose-queue
0.2-indev
0.1-indev
No results found.
Labels
Clear labels   
Bug

   
Cleanup/Refactor

   
Core Feature

   
Documentation

   
Feature

   
Performance Improvement

   
Security Improvement

   
UX/Accessibility

   
Unreproducable Bug
No labels
Bug
Cleanup/Refactor
Core Feature
Documentation
Feature
Performance Improvement
Security Improvement
UX/Accessibility
Unreproducable Bug
Milestone
Clear milestone
No items
No milestone
Canopy v0.4-Indev
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Blocks
#164 Tweaks and Fixes
rainbownapkin/canopy
Reference: rainbownapkin/canopy#188
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?