Bug #46856 for HTML-Template: wish: escape=html should be on default.

Thu Jun 11 12:44:59 2009 MARKSTOS [...] cpan.org - Ticket created

Subject:

wish: escape=html should be on default.

HTML::Template's escaping is insecure by default, having you to turn on the security of HTML escaping just where you think you need it. If you don't have security on your mind, it's easy to not do this. Unless you test explicitly for security issues, it may be easy to miss an XSS hole going through alpha and beta testing and into issue and into production. Like Django's templating system, HTML::Template should be secure-by-default in regards to escaping. "escape=HTML" should be the default. Then if you know you have a place where you *know* you need to let through raw HTML, then you can turn off escaping in just one place, so the you acknowledging each place where you choose to lower security. In terms of backwards compatibility, users who have explicitly declared "escape=HTML" or "escape=NONE" everywhere they need it are already covered. And if anyone declares "default_escape", there will be no change for them. What remains are the people and projects who have not thought out all the places where they need to allow or disallow HTML escaping completely. The change will bring their awareness to this issue to make the necessary changes, if they choose to upgrade HTML::Template. Also, it can be documented how people can choose to enable the legacy insecure default with a single line of code. Mark

Thu Apr 14 17:39:58 2011 wonko [...] cpan.org - Correspondence added

I completely understand the sentiment of this request and agree that things should be secure by default, but HTML::Template is such a popular module and is packaged in lots of different distributions, I just don't see how we can make a change that will breaks lots of existing projects. And it's not like other modules that might break at compile time, or cause a 500 error at run time, it will just change their applications output without any notification of what might be going on. Users would have to check the changelog of HTML::Template to know what's going on which seems completely unrealistic. And we wouldn't be able to determine the difference between old and new templates to do something helpful like issue a deprecation warning. It's just not something I can ever see happening because of the brokenness that would occur.

Thu Apr 14 17:40:00 2011 The RT System itself - Status changed from 'new' to 'open'

Thu Apr 14 17:40:00 2011 wonko [...] cpan.org - Status changed from 'open' to 'rejected'

Fri Apr 15 09:39:22 2011 mark [...] summersault.com - Correspondence added

Subject:	Re: [rt.cpan.org #46856] wish: escape=html should be on default.
Date:	Fri, 15 Apr 2011 09:39:11 -0400
To:	bug-HTML-Template [...] rt.cpan.org
From:	Mark Stosberg <mark [...] summersault.com>

Show quoted text

> It's just not something I can ever see happening because of the > brokenness that would occur.

Michael, First thanks for starting to maintain this module. I appreciate it! I understand the concerns about compatibility, but the module may have yet more users in the future than it does in the past, and there's value in working in their best interest as well as the existing users. We are also not forcing anyone to upgrade, and they each have a responsibility to vet changes to their own applications before putting them into production. In the current era, I think not having HTML escaping on default can be seen as a "security bug", and an important one to fix. Other possibilities include making both available and encouraging people to use the new one. This could take the form of: - HTML::Template::Strict - HTML::Template::V3 ( which may have incompatible changes ); Personally, I would also like to see the default for "die_on_bad_params" changed as well. I would love to see a "3.0" release that includes a plugin system, although that could be backwards compatible. Mark

Fri Apr 15 09:39:23 2011 The RT System itself - Status changed from 'rejected' to 'open'