Merge commit from fork

casid · web-flow · commit a6fb00d53c7b · 2025-01-13T17:07:14.000+01:00
* Fix xss vulnerability in javascript template strings

* Escape dollar signs to prevent undesired interpolation
diff --git a/jte-runtime/src/main/java/gg/jte/html/escape/Escape.java b/jte-runtime/src/main/java/gg/jte/html/escape/Escape.java
@@ -49,6 +49,8 @@ public static void javaScriptBlock(String value, TemplateOutput output) {
             switch (c) {
                 case '\'' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\'", output);
                 case '"' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\\"", output);
+                case '`' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\`", output);
+                case '$' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\$", output);
                 case '/' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\/", output);
                 case '-' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\-", output);
                 case '\\' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\\\", output);
@@ -73,6 +75,8 @@ public static void javaScriptAttribute(String value, TemplateOutput output) {
             switch (c) {
                 case '\'' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\x27", output);
                 case '"' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\x22", output);
+                case '`' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\x60", output);
+                case '$' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\x24", output);
                 case '\\' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\\\", output);
                 case '\n' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\n", output);
                 case '\t' -> lastIndex = flushAndEscape(value, lastIndex, i, "\\t", output);
diff --git a/jte/src/test/java/gg/jte/TemplateEngine_HtmlOutputEscapingTest.java b/jte/src/test/java/gg/jte/TemplateEngine_HtmlOutputEscapingTest.java
@@ -1313,6 +1313,88 @@ void invalidAttribute_semicolon() {
         assertThat(throwable).isInstanceOf(TemplateException.class).hasMessage("Failed to compile template.jte, error at line 1: Invalid HTML attribute name ;!");
     }
 
+    @Test
+    void templateStringInJavaScriptBlock_backtick() {
+        codeResolver.givenCode("template.jte", """
+                @param String someMessage
+                <!DOCTYPE html>
+                <html lang="en">
+                <head>
+                    <title>XSS Test</title>
+                    <script>window.someVariable = `${someMessage}`;</script>
+                </head>
+                <body>
+                <h1>XSS Test</h1>
+                </body>
+                </html>
+                """);
+
+        templateEngine.render("template.jte", "` + alert(`xss`) + `", output);
+
+        assertThat(output.toString()).isEqualTo("""
+                <!DOCTYPE html>
+                <html lang="en">
+                <head>
+                    <title>XSS Test</title>
+                    <script>window.someVariable = `\\` + alert(\\`xss\\`) + \\``;</script>
+                </head>
+                <body>
+                <h1>XSS Test</h1>
+                </body>
+                </html>
+                """);
+    }
+
+    @Test
+    void templateStringInJavaScriptBlock_dollar() {
+        codeResolver.givenCode("template.jte", """
+                @param String someMessage
+                <!DOCTYPE html>
+                <html lang="en">
+                <head>
+                    <title>XSS Test</title>
+                    <script>window.someVariable = `${someMessage}`;</script>
+                </head>
+                <body>
+                <h1>XSS Test</h1>
+                </body>
+                </html>
+                """);
+
+        templateEngine.render("template.jte", "${secret}", output);
+
+        assertThat(output.toString()).isEqualTo("""
+                <!DOCTYPE html>
+                <html lang="en">
+                <head>
+                    <title>XSS Test</title>
+                    <script>window.someVariable = `\\${secret}`;</script>
+                </head>
+                <body>
+                <h1>XSS Test</h1>
+                </body>
+                </html>
+                """);
+    }
+
+    @Test
+    void templateStringInJavaScriptAttribute_backtick() {
+        codeResolver.givenCode("template.jte", "@param String p\n<span onClick=\"console.log(`${p}`)\">foo</span>");
+
+        templateEngine.render("template.jte", "` + alert(`xss`) + `", output);
+
+        assertThat(output.toString()).isEqualTo("<span onClick=\"console.log(`\\x60 + alert(\\x60xss\\x60) + \\x60`)\">foo</span>");
+    }
+
+    @Test
+    void templateStringInJavaScriptAttribute_dollar() {
+        codeResolver.givenCode("template.jte", "@param String p\n<span onClick=\"console.log(`${p}`)\">foo</span>");
+
+        templateEngine.render("template.jte", "${secret}", output);
+
+        assertThat(output.toString()).isEqualTo("<span onClick=\"console.log(`\\x24{secret}`)\">foo</span>");
+    }
+
     @Test
     void localization_notFound_noParams() {
         codeResolver.givenCode("template.jte", """
