java - Guide to proper escaping in Play framework

Question

I'm trying to map out how the Play framework supports escaping.

This is a nice page spelling out the needed functionality: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

So I'm trying to relate that to Play template features and fully understand what Play does and doesn't do.

• HTML escaping: ${} or the escape() function
• Attribute escaping: I can't find a built-in solution
• JavaScript escaping: there's an escapeJavaScript() http://www.playframework.org/documentation/1.2/javaextensions
• CSS escaping: I can't find a built-in solution
• URL escaping: nothing special built-in, but usual Java solution e.g. Java equivalent to JavaScript's encodeURIComponent that produces identical output? - Update: there's urlEncode() at http://www.playframework.org/documentation/1.2/javaextensions

Another point of confusion is the support for index.json (i.e. using templates to build JSON instead of HTML). Does ${} magically switch to JavaScript escaping in a JSON document, or does it still escape HTML, so everything in a JSON template has to have an explicit escapeJavaScript()?

There's also an addSlashes() on http://www.playframework.org/documentation/1.2/javaextensions , but it doesn't seem quite right for any of the situations I can think of. (?)

It would be great to have a thorough guide on how to do all the flavors of escaping in Play. It looks to me like the answer is "roll your own" in several cases but maybe I'm missing what's included.

Answer 1

I've been looking into this so decided to write up my own answer based on what you already had, this OWASP cheat sheet and some experimentation of my own

HTML escaping:

• ${} or the escape() function

Attribute escaping: (common attributes)

• This is handled in play so long as you wrap your attributes in double quotes (") and use ${}.
• For complex attributes (href/src/etc.) see JavaScript below
• Example unsafe code
  • <a id=${data.value} href="...">...</a>
  • <a id='${data.value}' href="...">...</a>
• This would break with this for data.value:
  • % href=javascript:alert('XSS')
  • %' href=javascript:alert(window.location)

JavaScript escaping: (and complex attributes)

• Use escapeJavaScript(). http://www.playframework.org/documentation/1.2/javaextensions
• Example unsafe code
  • <a onmouseover="x='${data.value}'; ..." href="...">...</a>
• This would break with this for data.value:
  • '; javascript:alert(window.location);//

CSS escaping:

• Not sure as I've no need for this.
  • I'd imagine you'd need to create your own somehow. Hopefully there is something out there to manipulate the strings for you.

URL escaping:

• use urlEncode(). http://www.playframework.org/documentation/1.2/javaextensions