Looking for a popular templating language that needs XSS protection [closed]

Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.

---

We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.

Closed 7 years ago.

Improve this question

I'd like to experiment with a popular HTML templating language to see if I can solve XSS problems in it. What is a popular, open-source, templating language that I could try to tackle.

By templating language, I mean a language used to generate an output language by combining static content in that output language with dynamic data from another source. E.g. PHP is commonly used as a templating language for HTML/CSS/JS, and XSLT is a templating language for XML.

The ideal template language would be

1. Widely used
2. Open source
3. Not have already solved XSS
4. The simpler the syntax the better

The idea is to

1. parse each template so that I end up with a tree of chunks of raw HTML, expressions that produce dynamic values that need to be encoded, and conditional (switch/if) and loop constructs.
2. walk the tree inferring context. Possible contexts might include (HTML_PCDATA, IN_JS_DBL_QUOTED_STR, etc.) So if I see a chunk of raw HTML, <a href=" in an HTML PCDATA context, then I move to a context where I am expecting part of a URL. When I reach a branch or loop, follow each branch independently, and join the contexts afterwards.
3. if the language has templates, try to determine a static call graph so I can clone templates and rewrite calls where a given template is called in multiple contexts.
4. wrap the expressions that produce dynamic values with call开发者_运维百科s into a library I implement that includes functions like expectHtml(...), expectJsValue(...) that encode the dynamic value appropriately. E.g. expectHtml(...) converts < to <.
5. provide some convenience functions so that the code that provies data to templates can use RTTI to specify the language of dynamic values to avoid overescaping. So expectHtml(...) would not escape a value of type Html since it is assumed to come from a safe source like knownSafeHtml(...) or stripBadTags(...)

---

The upcoming Symfony is broken down in components. They are releasing them one by one. Symfony Templating is one of them and would be a good candidate for you to test.