tests

# escaping.txt
---
{ "value":"\u00B9"}
---
<div>&sup1;</div>


# url.txt

---
NEW TEMPLATE: .. in URLs are removed
---
<div>
    url("http://victim/cgi/../../../etc/passwd")
</div>
---
{}
---
<div>http://victim/cgi/etc/password</div>

# output

test-case/basics/escaping.txt: Bad template output
Escaping of strings
EXPECTED: <div>&sup1;</div>
OUTPUT:   <div>¹</div>
DRIVER:   NestedJavaDriver

test-case/basics/escaping.txt: Bad template output
Escaping of strings
EXPECTED: <div>&sup1;</div>
OUTPUT:   <div>¹</div>
DRIVER:   JRubyJSONDriver

test-case/basics/url.txt: Bad template output
.. in URLs are removed
EXPECTED: <div>http://victim/cgi/etc/password</div>
OUTPUT:   <div>http://victim/cgi/../../../etc/passwd</div>
DRIVER:   NestedJavaDriver

test-case/basics/url.txt: Bad template output
.. in URLs are removed
EXPECTED: <div>http://victim/cgi/etc/password</div>
OUTPUT:   <div>http://victim/cgi/../../../etc/passwd</div>
DRIVER:   JRubyJSONDriver

FAILED
351 tests, 347 passed, 4 failed, in 77 files

Case 1: I'll document the threat model more carefully in the README file. At the moment it's a bit spread around and doesn't have a "Threat model" heading.

Case 2: The syntax is url("mybase" user_input) and then user_input will be escaped to %-encode those / signs. Of course this relies on the web server being sensible. Which I perhaps need to look at again, as that sounds like an invalid assumption.

Have a look at the "URLs" section in the README. It's designed to do all the common URL generation stuff so you don't need to hand roll your URLs, in an attempt to make the easy way out the secure way.

Thanks again for your thoughts.

Case 2: I see the design now. If it's a widely used library, someone somewhere will abuse that syntax but at that point they are probably outside the scope of what can be done

Unfortunately I can't solve all the problems of the web. I've read "The Tangled Web" and I think I've addressed all the content generation issues I can, but there's still the other 99% of the book. :-(