python_template_engine/html_security_demo.py at master · ssrikanta/python_template_engine · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
Comprehensive demonstration of HTML template security risks
"""

from template_engine import TemplateEngine

def html_security_demo():
    """Demonstrate security risks when auto_escape is disabled for HTML."""

    print("🚨 SECURITY DEMO: HTML Templates Without auto_escape")
    print("=" * 70)

    engine = TemplateEngine()

    # Simulate malicious user input
    malicious_input = {
        'user_name': '<script>alert("Stolen cookies: " + document.cookie)</script>',
        'user_bio': '<img src="x" onerror="window.location=\'http://evil-site.com\'">',
        'comment': '</textarea><script>alert("XSS in form!")</script><textarea>',
        'search_term': '" onmouseover="alert(\'Hover attack!\')" data="'
    }

    html_template = '''<!DOCTYPE html>
<html>
<head>
    <title>User Profile</title>
</head>
<body>
    <h1>User: $user_name</h1>
    <p>Bio: $user_bio</p>
    <div>Comment: $comment</div>
    <input type="text" value="$search_term" placeholder="Search...">
</body>
</html>'''

    print("📋 Malicious User Input:")
    for key, value in malicious_input.items():
        print(f"  📝 {key}: {repr(value)}")

    print(f"\n🔒 SAFE HTML (auto_escape=True):")
    print("=" * 50)
    safe_html = engine.render(html_template, malicious_input, auto_escape=True)
    print(safe_html)

    print(f"\n💀 DANGEROUS HTML (auto_escape=False):")
    print("=" * 50)
    dangerous_html = engine.render(html_template, malicious_input, auto_escape=False)
    print(dangerous_html)

    print(f"\n🎯 WHAT HAPPENS IN BROWSER:")
    print("=" * 50)
    print("✅ SAFE VERSION:")
    print("  • Scripts display as text: &lt;script&gt;...&lt;/script&gt;")
    print("  • No JavaScript execution")
    print("  • HTML structure preserved")
    print("  • Users see the actual input, not code")

    print("\n❌ DANGEROUS VERSION:")
    print("  • Scripts EXECUTE in browser!")
    print("  • alert() dialogs would pop up")
    print("  • Cookies could be stolen")
    print("  • Users could be redirected to malicious sites")
    print("  • Form inputs could be hijacked")

def content_type_examples():
    """Show different content types and escaping needs."""

    print(f"\n\n📊 CONTENT TYPE EXAMPLES")
    print("=" * 50)

    engine = TemplateEngine()

    data = {
        'code_snippet': '<div class="highlight">print("Hello")</div>',
        'user_message': 'I love <3 your site & want to share it!',
        'math_formula': 'if x < 5 && y > 10 then result = x & y',
        'html_content': '<p>This is <strong>bold</strong> text</p>'
    }

    examples = [
        ("Code Documentation", '$code_snippet'),
        ("User Message", '$user_message'),
        ("Math Formula", '$math_formula'),
        ("Rich Content", '$html_content')
    ]

    for title, template in examples:
        print(f"\n📝 {title}:")
        print(f"   Input: {repr(data[template[1:]])}")

        escaped = engine.render(template, data, auto_escape=True)
        unescaped = engine.render(template, data, auto_escape=False)

        print(f"   ✅ Escaped:   {escaped}")
        print(f"   ❌ Unescaped: {unescaped}")

def recommendations():
    """Provide security recommendations."""

    print(f"\n\n💡 SECURITY RECOMMENDATIONS")
    print("=" * 50)

    print("🎯 FOR HTML TEMPLATES:")
    print("  ✅ ALWAYS use auto_escape=True")
    print("  ✅ engine.render(template, data, auto_escape=True)")
    print("  ✅ Escapes: < > & \" to prevent XSS")
    print("  ✅ Preserves Unicode characters")

    print("\n🎯 FOR TEXT/EMAIL TEMPLATES:")
    print("  ✅ Use auto_escape=False")
    print("  ✅ engine.render(template, data, auto_escape=False)")
    print("  ✅ Preserves all characters exactly")
    print("  ✅ No HTML escaping needed")

    print("\n🎯 RULE OF THUMB:")
    print("  🌐 HTML output → auto_escape=True")
    print("  📄 Text output → auto_escape=False")
    print("  🤔 When unsure → auto_escape=True (safer!)")

    print("\n⚠️  NEVER DO THIS IN PRODUCTION:")
    print("  ❌ engine.render(html_template, user_data, auto_escape=False)")
    print("  ❌ Disabling escaping with user-generated content")
    print("  ❌ Trusting user input without validation")

if __name__ == "__main__":
    html_security_demo()
    content_type_examples()
    recommendations()