Escape problem
Jeff Epler
jepler at unpythonic.net
Tue Mar 2 10:37:39 EST 2004
The exact answer depends on what library you're using in your
application.
THe low-level answer is that you must properly escape characters that
would otherwise be treated specially by html.
For example, the output needs to look like this
<FORM ...>
<INPUT TYPE="text" NAME="something" VALUE="foo"bar"">
...
</FORM>
If you do not escape or otherwise treat specially the " characters, the
resulting non-html output will contain something like
<INPUT TYPE="text" NAME="something" VALUE="foo"bar"">
... this kind of bug can also lead to cross-site scripting (XSS) problems,
for instance if an attacker can control the string in question and sets
it to something like '"><SCRIPT>alert(document.cookie)</SCRIPT>'...
Jeff
More information about the Python-list
mailing list