Context-Sensitive Auto-Sanitization in Web Templating Languages Using Type Qualifiers

Mike Samuel, Prateek Saxena, Dawn Song,
In Proceedings of the ACM Conference on Computer and Communications Security (CCS) 2011


Scripting vulnerabilities, such as cross-site scripting (XSS), plague web applications today. Most research on defense techniques has focused on securing existing legacy applications written in general-purpose languages, such as Java and PHP. However, recent and emerging applications have widely adopted web templating frameworks that have received little attention in research. Web templating frameworks offer an ideal opportunity to ensure safety against scripting attacks by secure construction, but most of today's frameworks fall short of achieving this goal. We propose a principled type-qualifier based mechanism that can be bolted onto existing web templating frame- works. Our solution permits rich expressiveness in the tem- plating language while achieving backwards compatibility, per- formance and formal security through a context-sensitive auto- sanitization (CSAS) engine. To demonstrate its practicality, we implement our mechanism in Google Closure Templates, a commercially used open-source templating framework that is used in GMail, Google Docs and other applications. Our approach is fast, precise and retrofits to existing commer- cially deployed template code without requiring any changes or annotations.

Source Code and Related Links

Google Closure Templates now has an implementation of the primitive called contextual (or context-sensitive) auto-sanitization. There are other related implementations of contextual auto-sanitization presently underway.