Reducing XSS with Auto-Escaping in Template Systems

Google security team has introduced Automatic Context-Aware Escaping (Auto-Escape for short), a functionality added to two Google-developed general purpose template systems to better protect against Cross-Site Scripting (XSS). Consider the simplified template below in which double curly brackets {{ and }} enclose placeholders (variables) that are replaced with run-time content, presumed unsafe. In this template, four […]

Google security team has introduced Automatic Context-Aware Escaping (Auto-Escape for short), a functionality added to two Google-developed general purpose template systems to better protect against Cross-Site Scripting (XSS). Consider the simplified template below in which double curly brackets {{ and }} enclose placeholders (variables) that are replaced with run-time content, presumed unsafe. In this template, four variables are used: USER_NAME, USER_ACCOUNT_URL, USER_COLOR, USER_ID


Full Article