Every now and then, a security vulnerability is reported on another significant website (Alza, Mapy.cz, BontonLand) or is exploited. Try searching for XSS vulnerability to understand why Cross Site Scripting (XSS) is currently one of the most widespread and dangerous vulnerabilities.
This is a distressing issue for website operators and perhaps even more so for suppliers. It can damage reputations, lead to fines, lawsuits, or simply spoil relationships with clients. How to defend against XSS? By so-called string escaping. Unfortunately, most experts are not well-versed in this area. (I don’t mean to be tactless or offend anyone, but of the “Czechoslovak IT celebrities,” I only know one person who deeply understands this issue.) Thus, even articles on this topic on well-known websites are, let’s say, inaccurate.
Moreover, this escaping is usually done in the template, falling on the coder’s shoulders. Thus, the most critical area requiring high expertise is handled by someone unqualified. How can this end? We know all too well – see the first paragraph.
Nette Framework Will Save You
I would like to introduce you to a killer feature of the Latte templating system in the Nette Framework. It's such a fundamental feature that it alone is a reason to choose this framework. Or at least to use its templates.
- the bigger your company, the more crucial this feature is
- no competing framework has it to date 1)
The Nette Framework automatically escapes in templates. Its Context-aware escaping feature recognizes which part of the document you are in and chooses the appropriate escaping method accordingly.
Let's dive into more technical details. You can see how it works best with
an example. Consider a variable $var and this template:
<p onclick="alert({$var})">{$var}</p>
<script>
document.title = {$var};
</script>The notation {$var} means printing the variable. However, each
print must be explicitly secured, even differently at each location. A coder
must (for example, in Smarty) add the appropriate modifiers, must not make a
mistake, and especially not omit anything.
In the Nette Framework, nothing needs to be manually secured. Everything is done automatically, correctly, and consistently!
If we assign $var = 'Width 1/2"' to the variable, the framework
generates the HTML code:
<p onclick="alert("Width 1\/2\"")">Width 1/2"</p>
<script>
document.title = "Width 1\/2\"";
</script>Of course, situations where you need to print a variable without escaping it
are also considered, for example, because it contains article text including
HTML tags. In such cases, you use the notation {$var|noescape}.
End of the technical digression. Thanks to Latte, it suddenly means that
- the template remains simple
- you don’t have to worry that a coder will overlook something
- and at the same time, you don’t need to have a top expert on escaping ;)
- the work is much easier
You can find more information about Latte’s smart templates in the documentation.
1) About half a year after Nette, Google introduced a similar feature for its library in C++, and as far as I know, no framework in PHP, Ruby, or Python has anything similar yet.