Discourse.js and "cooked" strings

Question

I have been reviewing the source code for discourse.js, a discussion forum written in Ember/Rails/Postgres. I'm researching best practices in avoiding XSS vulnerabilitys in these kinds of apps.

I notice that Discourse uses the notion of "cooked" strings, which are partially pre-escaped strings used for things like the bodies of posts, then displays them in Ember using triple mustaches ({{{}}}).

In other cases, however, such as post title, Discourse sends and receives raw, unescaped strings such as "This & that about the tag", and displays them using double mustaches {{{}}).

I have the following questions about all this:

(1) It seems that Discourse uses "cooking" only for fields in which Markdown is supported, such as post body. Is cooking merely a way to deal-with post-processed Markdown fields, or is it also intended to address XSS issues?

(2) Is it not considered an XSS vulnerability to have raw strings, including things which look like HTML tags or actually are HTML tags, passed from the server to the client in JSON? Some XSS sniffers apparently complain about such things, and some people appear to be recommending HTML entity escaping and/or sanitization on the server.

Answer 1

1) Not exactly sure what discourse is doing here. Because markdown is rendered into HTML, it needs to use the unescaped output. Otherwise the HTML generated from markdown would be escaped. Discourse does seem to have html sanitization within the source code, allthough I'm not sure when it is applied.

2) I would say no. JSON is not an executable format. So as long as text is treated as text etc. then there is no issue. As a general idea, a good reason for not escaping server side, would be a mobile app which was using native controls to display text. A single page app and a mobile app could use the same JSON api, but escaping would not be necessary for the mobile app. Additionally escaping requires a context. The OWASP XSS Prevention Cheat Sheet defines a set of contexts which require different escaping. So a single escaping on the server may be the wrong one.