[issue9061] cgi.escape Can Lead To XSS Vulnerabilities
orsenthil at gmail.com
Wed Jun 23 20:41:29 CEST 2010
On Wed, Jun 23, 2010 at 03:46:35PM +0000, Craig Younkins wrote:
> cgi.escape never escapes single quote characters, which can easily
> lead to a Cross-Site Scripting (XSS) vulnerability. This seems to be
> known by many, but a quick search reveals many are using cgi.escape
> for HTML attribute escaping.
cgi.escape is for HTML attribute escaping only. I guess, you should
explain or point out to resources where 'single quotes' representation
in a non-entity format in a HTML page has lead to XSS.
> The intended use of this method is unclear to me.
Escape HTML characters (most commonly), >,<, & and ". And mostly when
constructing responses where these characters are literally required.
> While the documentation says "if the value to be quoted might
> include single- or double-quote characters... [use the]
> xml.sax.saxutils module instead," it also implies that this method
> will make input safe for HTML. Because this method escapes 4 of the
"More suitable" for HTML would be the correct interpretation rather
make the "input safe". You might check the reference documentation
leading to xml.sax.saxutils.
> I suggest rewording the documentation for the method making it more
> clear what it should and should not be used for.
The very next paragraph seems to address the security considerations
while using the cgi module itself, rather than limiting it to
cgi.escape. It says that:
"To be on the safe side, if you must pass a string gotten from a form
to a shell command, you should make sure the string contains only
alphanumeric characters, dashes, underscores, and periods."
With respect your bug report:
1. Any doc change suggestions you propose? (After pointing out the
resources requested in first para)
2. If cgi.escape needs to escape single quotes, what should it be as:
lsquo/rsquo (for XHTML) and ' or ' for Others?
More information about the Python-bugs-list