Some of my variables come from user input.
The user should be free to type any character, including the delimiters.
But if they type expressions like "{{2*3}}", this can lead to template injection if we use those variables inside conditionals.
Example:
posthtml(expressions({ locals: { variable: '{{2*3}}' } })).process(`
Here it works: {{variable}}
<p>Here it works too: {{variable}}</p>
<if condition="true">
Here it doesn't work: {{variable}}
</if>
This is not documented and probably should only allow HTML characters: {{{variable}}}
`).then((result) => console.log(result.html))Result:
Here it works: {{2*3}}
<p>Here it works too: {{2*3}}</p>
Here it doesn't work: 6
This is not documented and probably should only allow HTML characters: 6
According to my investigation, it seems that the content inside conditionals is being parsed twice by the walk() function.
- So in the first pass:
{{variable}} -> {{2*3}}
- And in the next pass:
{{2*3}} -> 6
Some of my variables come from user input.
The user should be free to type any character, including the delimiters.
But if they type expressions like
"{{2*3}}", this can lead to template injection if we use those variables inside conditionals.Example:
Result:
According to my investigation, it seems that the content inside conditionals is being parsed twice by the
walk()function.{{variable}}->{{2*3}}{{2*3}}->6