[New-bugs-announce] [issue46151] SimpleCookie.js_output is vulnerable to HTML injection
Trung Pham
report at bugs.python.org
Wed Dec 22 08:26:50 EST 2021
New submission from Trung Pham <trungpaaa at gmail.com>:
In /Lib/http/cookies.py, the output from SimpleCookie.js_output might be parsed as HTML if it contained < and >.
```
from http import cookies
c = cookies.SimpleCookie()
c["fig"] = "newton</script><script>alert(document.domain)</script>";
// c.js_output()
<script type="text/javascript">
<!-- begin hiding
document.cookie = "fig=\"newton</script><script>alert(document.domain)</script>\"";
// end hiding -->
</script>
```
We can't simply escape all the special characters because the encoding method is treated differently depending on the document types. For example, the following snippet (from The Tangled Web) is safe in HTML but not in XHTML:
```
<script type="text/javascript">
var tmp = 'I am harmless! '+alert(1);// Or am I?';
</script>
```
To avoid messing with the encoding methods, we could encode the cookie string in base64 and let the browser decode it.
```
// c.js_output()
<script type="text/javascript">
document.cookie = base64decode(<ENCODED>);
</script>
```
After searching around on Github, I think this function is rarely used so making it deprecated is also an option.
----------
components: Library (Lib)
messages: 409035
nosy: trungpaaa
priority: normal
severity: normal
status: open
title: SimpleCookie.js_output is vulnerable to HTML injection
type: security
versions: Python 3.11
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue46151>
_______________________________________
More information about the New-bugs-announce
mailing list