[issue9061] cgi.escape Can Lead To XSS Vulnerabilities

Craig Younkins report at bugs.python.org
Wed Jun 23 21:06:01 CEST 2010


Craig Younkins <cyounkins at gmail.com> added the comment:

> cgi.escape is for HTML attribute escaping only.

It is not safe for HTML attribute escaping because it does not encode single quotes.

> "More suitable" for HTML would be the correct interpretation rather make the "input safe".

"More suitable, but not quite secure"

Regardless of the intended use of this method, many many people are using it for insecure HTML entity escaping.

> you should explain or point out to resources where 
> 'single quotes' representation in a non-entity format 
> in a HTML page has lead to XSS.

print "<body class='%s'></body>" % cgi.escape("' onload='alert(1);' bad='")

> The very next paragraph seems to address the security considerations
> while using the cgi module itself, rather than limiting it to
> cgi.escape. It says that:
> "To be on the safe side, if you must pass a string gotten from a form
> to a shell command, you should make sure the string contains only
> alphanumeric characters, dashes, underscores, and periods."

The security concerns related to output on the web are very different from the concerns related sending user input to a shell command. The needed escaping is completely different. Also, the security advice above is woefully inadequate. 

> Any doc change suggestions you propose?

Convert the characters '&', '<' and '>' in string s to their HTML entity encoded values. If the optional flag quote is true, the double-quotation mark character ('"') is also encoded. Note that the output of this method is not safe to put in an HTML attribute because it does not escape single quotes. If the value to be quoted might include single- or double-quote characters, or both, consider using the quoteattr() function in the xml.sax.saxutils module instead.

> If cgi.escape needs to escape single quotes, what should it be as:
> lsquo/rsquo (for XHTML) and &#x27; or &#39; for Others?

Sorry, I should have included that in the OP. It should escape to &#x27; 
It is also advised to escape the forward slash character ('/') to &#x2F;

See OWASP.org for an explanation of the complexities of the escaping:
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content

----------

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue9061>
_______________________________________


More information about the Python-bugs-list mailing list