Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Escaping is not applied at the expected level #897

Open
WesleyAC opened this issue Feb 6, 2024 · 5 comments
Open

Escaping is not applied at the expected level #897

WesleyAC opened this issue Feb 6, 2024 · 5 comments

Comments

@WesleyAC
Copy link

WesleyAC commented Feb 6, 2024

I found the following tera template very surprising when evaluated with the default autoescaping:

{% set foo = 'def' %}
{{ 'abcdef' == 'abc' ~ foo }}
{{ 'abc/def' == 'abc/' ~ 'def' }}
{{ 'abc/def' == 'abc/' ~ foo }}

It returns:

true
true
false

This is because the last statement is evaluating 'abcdef' == 'abc/def'

There are two behaviours that would seem roughly sensible to me here:

  • foo is escaped, equaling foo (since it does not have any special characters), then the rest of the statement is evaluated.
  • The entire statement is evaluated, and because it's tainted with a unsafe value, the entire result (true) is escaped.

The first seems most sensible to me, but the latter would also be defensible, in my opinion.

The actual behavior seems very strange, where the escaping happens at some kind of intermediate level, determining that the RHS of the expression is tainted and escaping the entire thing before evaluating the rest of the expression. This appears to be a bug to me.

@WesleyAC
Copy link
Author

WesleyAC commented Feb 6, 2024

In the unlikely event that anyone manages to find this issue and is wondering how to work around this, creating a temporary variable with safe seems to be the way to go:

{% set tmp = 'abc/' ~ foo | safe %}
{{ 'abc/def' == tmp }}

@Keats
Copy link
Owner

Keats commented Feb 6, 2024

I've added those tests in https://github.com/Keats/tera2 and it return true for all 3 rows as escaping is now done only when writing to the buffer.

@WesleyAC
Copy link
Author

WesleyAC commented Feb 7, 2024

Great! Do you have a rough idea of when Tera 2 will start to be ready for use?

@Keats
Copy link
Owner

Keats commented Feb 7, 2024

Not for a few months at least, when it's ready it's going to be used in Zola first before releasing 2.0.0 to make sure it's battle tested

@schungx
Copy link

schungx commented Jun 13, 2024

I believe I have found a bug similar to this:

{{  foo.bar | default(value=foo.baz) }}

foo.baz will be escaped TWICE if foo.bar is not present.

It works perfectly this way:

{% if foo.bar %}{{ foo.bar }}{% else %}{{ foo.baz }}{% endif %}

However, it does NOT happen on all templates. I have several templates and it only happens on one. It does not happen on the rest, although they all have identical code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants