Saturday, November 23, 2013

Evaluating a Bedrock string

I sometimes forget how easy it is to do some things in Bedrock.  Take for example, evaluating a Bedrock expression.

 <pebble $expression>

So how do I create the Bedrock expression?  Ignoring the fact that evaluating strings in a web application is generally something you want to think carefully about since it has the potential to be a security hole, one could construct a string to execute like this:

<sink:expression --htmldecode>&lt;trace --output $env></sink>
<pebble $expression>

By enclosing the string you want to evaluate in a <sink> tag and essentially tricking Bedrock into not recognizing the Bedrock tags by using an HTML entity to start the tag (&lt;), the expression is simply stored as an HTML decoded string.  You can then use the <pebble> tag to execute the string.

In this case, there's not much of a security risk, since you are providing the string to evaluate. But consider:

<textarea name="expression" nrows="10" cols="60">
<var $input.expression>

<if $input.expression>
  <pebble $input.expression>

Allowing execution of arbitrary Bedrock statements is not something you probably want to do.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.