add section on securing fillOdtTemplate

2025-09-18 16:13:07 +02:00 · 2025-09-18 16:13:07 +02:00 · 5e1b0b3da4
commit 5e1b0b3da4
parent 44221b4255
1 changed files with 13 additions and 0 deletions
--- a/readme.md
+++ b/readme.md
@ -125,6 +125,19 @@ There are also loops in the form:
 They can be used to generate lists or tables in .odt files from data and a template using this syntax


+#### Securing calls to fillOdtTemplate
+
+`fillOdtTemplate` evaluate arbitrary JavaScript code in `{#each <collection> as élément}` and `{#if <condition>}` and in `{<expression>}`
+
+By default, `fillOdtTemplate` limits access to global functions to only ECMAScript defaults via the use of [ses' Compartment](https://www.npmjs.com/package/ses#compartment), this prevents naïve data exfiltration
+
+However, `fillOdtTemplate` is vulnerable to [prototype pollution](https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html) inside template code. Two main ways to be secure are:
+- control the set of possible templates
+- call ses' `lockdown` which freezes Javascript intrinsics before calling `fillOdtTemplate` (this may lead to incompatibilities)
+
+
+
+
 ### Demo

 https://odfjs.github.io/odfjs/