While reading about the Closure Templates I encountered the following statement:
Closure Templates are contextually autoescaped to reduce the risk of XSS.
As far as I know escaping is removing ambiguity in the input string as described here.
I am not sure what really that means, perhaps an explanation with real world example would be really helpful.
There's more detail on security and autoescaping at this page of the Closure Templates documentation. In particular, look at the example given here.
You will see that an input, {$x} is escaped differently depending on where it is to be inserted in the template output (e.g. in HTML, JavaScript, CSS etc.) This is what is meant by contextual (i.e. context-dependent) autoescaping.
As described in the documentation:
- When
{$x}appeared inside HTML text, we entity-encoded it (< →<).- When
{$x}appeared inside a URL or as a CSS quantity, we rejected it because it had a protocoljavascript:that was nothttporhttps, and instead output a safe value#zSoyz. Had{$x}appeared in the query portion of a URL, we would have percent-encoded it instead of rejecting it outright (< → %3C).- When
{$x}appeared in JavaScript, we wrapped it in quotes (if not already inside quotes) and escaped HTML special characters (< → \x3c).- When
{$x}appeared inside CSS quotes, we did something similar to JavaScript, but using CSS escaping conventions (< → \3c ).The malicious output was defanged.
