Chunk Templates for Java - Example Inspector

Template code		Chunk output
Template Java code {#example_1} {!-- The htmlescape and escapequotes filters, plus defang -- and some suggestions on where to use them. -- -- Cross-site scripting (XSS) attacks can be avoided -- with careful use of escape-filters. By hardening -- your templates against abuse, your java code is -- relieved of this burden. --} <h2>The WRONG way:</h2> <form> <input name="full_name" value="{$name_a}" /> </form> <script> var x = '{$name_b}'; var y = '{$name_c}'; </script> <div> I trust this {$output} </div> <hr/> <h2>The RIGHT way:</h2> <form> <input name="full_name" value="{$name_a\|htmlescape}" /> </form> <script> var x = '{$name_b\|escapequotes}'; var y = '{$name_c\|escapequotes}'; </script> <div> I don't trust this {$output\|defang} </div> {#} Theme theme = new Theme("examples"); // Fetch template from this file: themes/examples/escapes.chtml // Inside that file there is a template "snippet" named #example_1 Chunk html = theme.makeChunk("escapes#example_1"); // let's try to sneak some malicious values into the template html.set("name_a","Eddy \"Crazy Eddy\" Robslovsky"); html.set("name_b","Mad \"Meanie\" McEvil'+doMeanThing()+'"); html.set("name_c","Backslash-\\B\\o\\b \"Confused\" O'Malley"); html.set("output","<script>attack()</script>"); html.render( out );		Raw Output Rendered HTML <h2>The WRONG way:</h2> <form> <input name="full_name" value="Eddy "Crazy Eddy" Robslovsky" /> </form> <script> var x = 'Mad "Meanie" McEvil'+doMeanThing()+''; var y = 'Backslash-\B\o\b "Confused" O'Malley'; </script> <div> I trust this <script>attack()</script> </div> <hr/> <h2>The RIGHT way:</h2> <form> <input name="full_name" value="Eddy "Crazy Eddy" Robslovsky" /> </form> <script> var x = 'Mad \"Meanie\" McEvil\'+doMeanThing()+\''; var y = 'Backslash-\\B\\o\\b \"Confused\" O\'Malley'; </script> <div> I don't trust this scriptattack()/script </div> The WRONG way: I trust this The RIGHT way: I don't trust this scriptattack()/script

Template code

Chunk output

Template
Java code

{#example_1}
{!-- The htmlescape and escapequotes filters, plus defang
  -- and some suggestions on where to use them.
  --
  -- Cross-site scripting (XSS) attacks can be avoided
  -- with careful use of escape-filters.  By hardening
  -- your templates against abuse, your java code is
  -- relieved of this burden.
  --}
<h2>The WRONG way:</h2>

<form>
 <input
   name="full_name"
   value="{$name_a}" />
</form>

<script>
var x = '{$name_b}';
var y = '{$name_c}';
</script>

<div>
 I trust this {$output}
</div>


<hr/>

<h2>The RIGHT way:</h2>

<form>
 <input
   name="full_name"
   value="{$name_a|htmlescape}" />
</form>

<script>
var x = '{$name_b|escapequotes}';
var y = '{$name_c|escapequotes}';
</script>

<div>
 I don't trust this {$output|defang}
</div>
{#}

Theme theme = new Theme("examples");

// Fetch template from this file: themes/examples/escapes.chtml
// Inside that file there is a template "snippet" named #example_1
Chunk html = theme.makeChunk("escapes#example_1");

// let's try to sneak some malicious values into the template
html.set("name_a","Eddy \"Crazy Eddy\" Robslovsky");
html.set("name_b","Mad \"Meanie\" McEvil'+doMeanThing()+'");
html.set("name_c","Backslash-\\B\\o\\b \"Confused\" O'Malley");

html.set("output","<script>attack()</script>");

html.render( out );

Raw Output
Rendered HTML

<h2>The WRONG way:</h2>

<form>
 <input
   name="full_name"
   value="Eddy "Crazy Eddy" Robslovsky" />
</form>

<script>
var x = 'Mad "Meanie" McEvil'+doMeanThing()+'';
var y = 'Backslash-\B\o\b "Confused" O'Malley';
</script>

<div>
 I trust this <script>attack()</script>
</div>


<hr/>

<h2>The RIGHT way:</h2>

<form>
 <input
   name="full_name"
   value="Eddy &quot;Crazy Eddy&quot; Robslovsky" />
</form>

<script>
var x = 'Mad \"Meanie\" McEvil\'+doMeanThing()+\'';
var y = 'Backslash-\\B\\o\\b \"Confused\" O\'Malley';
</script>

<div>
 I don't trust this scriptattack()/script
</div>

The WRONG way:

I trust this

The RIGHT way:

I don't trust this scriptattack()/script

Template code		Chunk output
Template Java code {#example_2} {!-- urlencode, urldecode. TODO: improve this example... --} <a href="http://www.example.com/cgi-bin/record_action?url={$url\|urlencode}">Click here</a> <p>The query string was: {$query_string\|urldecode}. {#} Theme theme = new Theme("examples"); // Fetch template from this file: themes/examples/escapes.chtml // Inside that file there is a template "snippet" named #example_2 Chunk html = theme.makeChunk("escapes#example_2"); html.set("url","http://www.x5software.com/chunk/wiki/"); html.set("query_string","x=y&z=w&god_particle=higgs%20boson"); html.render( out );		Raw Output Rendered HTML <a href="http://www.example.com/cgi-bin/record_action?url=http%3A%2F%2Fwww.x5software.com%2Fchunk%2Fwiki%2F">Click here</a> <p>The query string was: x=y&z=w&god_particle=higgs boson. Click here The query string was: x=y&z=w&god_particle=higgs boson.

Template code

Chunk output

Template
Java code

{#example_2}
{!-- urlencode, urldecode.  TODO: improve this example... --}
<a href="http://www.example.com/cgi-bin/record_action?url={$url|urlencode}">Click here</a>

<p>The query string was: {$query_string|urldecode}.
{#}

Theme theme = new Theme("examples");

// Fetch template from this file: themes/examples/escapes.chtml
// Inside that file there is a template "snippet" named #example_2
Chunk html = theme.makeChunk("escapes#example_2");

html.set("url","http://www.x5software.com/chunk/wiki/");
html.set("query_string","x=y&z=w&god_particle=higgs%20boson");

html.render( out );

Raw Output
Rendered HTML

<a href="http://www.example.com/cgi-bin/record_action?url=http%3A%2F%2Fwww.x5software.com%2Fchunk%2Fwiki%2F">Click here</a>

<p>The query string was: x=y&z=w&god_particle=higgs boson.

Click here

The query string was: x=y&z=w&god_particle=higgs boson.