autoescaping with jinja2 - fix code, templates, translatable strings
completed by: Julian Brost
mentors: Alexander Schremmer, ReimarBauer, Thomas Waldmann, Ronny Pfannschmidt
This is a continuation of "review code and templates to prepare for autoescaping with jinja2".
All places (in the templates, in the code, in translatable strings) where we insert HTML into the output have been marked with HHH (hahaha :) ).
You have to fix those places, so we can turn on autoescaping (see TODO in MoinMoin/__init__.py).
If we want to use autoescaping, we can't directly insert HTML into the output, but the html needs to be wrapped using the Markup class of jinja2.
get a clear understanding of the problem, why escaping is needed, see http://www.pythonsecurity.org/wiki/cross-sitescripting/
- look at the places that are marked with "HHH", think about how to solve
- identify the fundamentally different classes of problems
- for each class, think about:
- do we really need html there?
- use the Markup class of flask/jinja?
- can the html get moved to the template?
- discuss your ideas on IRC with the moin devs
- after you solved the issue, remove the HHH marker
- please do multiple changesets (at least one per problem class), bundle related/similar changes into same clean changeset/patch
- turn on autoescaping
- check all places you changed whether they work as expected
remove MoinFlask class, directly use Flask class
Deliverable: patches or changesets
Jinja2's autoescaping makes output generation more secure and less error-prone.
If autoescaping is not used and one forgets to escape some string, attackers might be able to create XSS attacks.
Extra work (optional)
If you want to do some extra work, review the source / the html output if now really all html insertion into output is handled correctly.
You can discuss this issue in the MoinMoin wiki: http://moinmo.in/EasyToDo/autoescaping%20with%20jinja2%20-%20fix%20code%20and%20templates