Snippet: render_template_fix.rb

render_template_fix.rb

Snippet #1718284 · Created by @rootbakar_ · May 27, 2018

render_template_fix.rb

      
        1# Fix: escape user-supplied template variables before render
2module TemplateRenderer
3  def safe_render(template, vars)
4    sanitized = vars.transform_values { |v| CGI.escapeHTML(v.to_s) }
5    template.gsub(/\{\{(\w+)\}\}/) { sanitized[$1] || '' }
6  end
7end
8
9# Usage
10renderer = TemplateRenderer.new
11output = renderer.safe_render("Hello {{name}}", { "name" => user_input })

      
    

Created by

Talaohu28

@rootbakar_ · 1 snippet

Security researcher. Bug hunter.

Comments (1)

asaba · May 30, 2018

The <a> being passed through is an inconsistency that could lead to a user clicking on a bad link.

1	# Fix: escape user-supplied template variables before render
2	module TemplateRenderer
3	def safe_render(template, vars)
4	sanitized = vars.transform_values { \|v\| CGI.escapeHTML(v.to_s) }
5	template.gsub(/\{\{(\w+)\}\}/) { sanitized[$1] \|\| '' }
6	end
7	end
8
9	# Usage
10	renderer = TemplateRenderer.new
11	output = renderer.safe_render("Hello {{name}}", { "name" => user_input })