Attempt to fix issue #193 by setting mako default filter to 'h'.

5 files changed, 23 insertions, 1 deletions

diff --git a/CHANGES.txt b/CHANGES.txt
index 8b2dae7f1..9dd1af2c5 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -236,6 +236,13 @@ Deprecations
 Behavior Changes
 ----------------
 
+- The default Mako renderer is now configured to escape all HTML in
+  expression tags. This is intended to help prevent XSS attacks caused by
+  rendering unsanitized input from users. To revert this behavior in user's
+  templates, they need to filter the expression through the 'n' filter.
+  For example, ${ myhtml | n }.
+  See https://github.com/Pylons/pyramid/issues/193.
+
 - A custom request factory is now required to return a response object that
   has a ``response`` attribute (or "reified"/lazy property) if they the
   request is meant to be used in a view that uses a renderer.  This
diff --git a/docs/whatsnew-1.1.rst b/docs/whatsnew-1.1.rst
index ea56e2020..761fa8d3a 100644
--- a/docs/whatsnew-1.1.rst
+++ b/docs/whatsnew-1.1.rst
@@ -94,6 +94,15 @@ Minor Feature Additions
 Deprecations and Behavior Differences
 -------------------------------------
 
+- The default Mako renderer is now configured to escape all HTML in
+  expression tags. This is intended to help prevent XSS attacks caused by
+  rendering unsanitized input from users. To revert this behavior in user's
+  templates, they need to filter the expression through the 'n' filter::
+
+     ${ myhtml | n }.
+
+  See https://github.com/Pylons/pyramid/issues/193.
+
 - Deprecated all assignments to ``request.response_*`` attributes (for
   example ``request.response_content_type = 'foo'`` is now deprecated).
   Assignments and mutations of assignable request attributes that were
diff --git a/pyramid/mako_templating.py b/pyramid/mako_templating.py
index 9d14ca8fe..fea8066d4 100644
--- a/pyramid/mako_templating.py
+++ b/pyramid/mako_templating.py
@@ -66,7 +66,7 @@ def renderer_factory(info):
         module_directory = settings.get('mako.module_directory', None)
         input_encoding = settings.get('mako.input_encoding', 'utf-8')
         error_handler = settings.get('mako.error_handler', None)
-        default_filters = settings.get('mako.default_filters', None)
+        default_filters = settings.get('mako.default_filters', 'h')
         imports = settings.get('mako.imports', None)
         strict_undefined = settings.get('mako.strict_undefined', 'false')
         if directories is None:
diff --git a/pyramid/tests/fixtures/nonminimal.mak b/pyramid/tests/fixtures/nonminimal.mak
new file mode 100644
index 000000000..9de95ec92
--- /dev/null
+++ b/pyramid/tests/fixtures/nonminimal.mak
@@ -0,0 +1 @@
+Hello, ${name}!
diff --git a/pyramid/tests/test_mako_templating.py b/pyramid/tests/test_mako_templating.py
index 054c83d2b..6b2adbe09 100644
--- a/pyramid/tests/test_mako_templating.py
+++ b/pyramid/tests/test_mako_templating.py
@@ -354,6 +354,11 @@ class TestIntegration(unittest.TestCase):
         self.assertRaises(TemplateLookupException, render,
                           'helloworld_not_here.mak', {})
 
+    def test_template_default_escaping(self):
+        from pyramid.renderers import render
+        result = render('nonminimal.mak', {'name':'<b>fred</b>'}).replace('\r','')
+        self.assertEqual(result, u'Hello, &lt;b&gt;fred&lt;/b&gt;!\n')
+
 class TestPkgResourceTemplateLookup(unittest.TestCase):
     def _makeOne(self, **kw):
         from pyramid.mako_templating import PkgResourceTemplateLookup