INTRODUCTION

When your application templates are just pure HTML5 files, it becomes easy for the front-end developers to work with almost no coordination with the backend team. Even if you buy a "website theme" from one of those online markets, which of course wasn't developed to your application, it is very easy to slice it into 'layout', 'header', 'footer' and 'content' tempalte files.

HTML vs TEXT

The distinction between text and HTML is very important, is the cause of the XSS vulnerability. This vulnerability got so common on web because almost all template engines are designed to process text. These engines can be used to render a config file, a christmas letter, and also HTML. Sure, all of those templating engines also provides a way to properly HTML-escape a value, usualy in the form of filters. But being a text templating engine, they can't just HTML-escape values by default. The reality when using that kind of engine is that developers can (and will) forget to add the proper filters, or just don't know about this security vulnerability at all.

Plift is a template engine just for HTML, and it's implemented on top of libxml. It means that for rendering text, we call "createTextNode" in XML::LibXML::Document, for attributes, "setAttribute" in XML::LibXML::Document and for rendering the final document we call "toStringHTML" in XML::LibXML::Document. Libxml takes care of the proper escaping.

Does it mean I'm immune to XSS vulnerability? No, you can still tell Plift to render unescaped HTML, but its not the default.

AUTHOR

Carlos Fernando Avila Gratz <cafe@kreato.com.br>