[Python-Dev] Security issue with the tracker

anatoly techtonik techtonik at gmail.com
Sun Apr 15 08:57:58 CEST 2012

On Fri, Apr 13, 2012 at 9:53 PM, Éric Araujo <eric at netwok.org> wrote:
> bugs.python.org already sanitizes the ok_message and Ezio already posted a
> patch to the upstream bug tracker, so I don’t see what else we could do.

I am +1 with Glyph that XSS protection in Roundup is an unreliable
hack. Ezio's patch just prolongs the agony - it doesn't make it
better. Code becomes less maintainable. There are two solutions to

1. Use specialized library such as
http://pypi.python.org/pypi/MarkupSafe/ - benefits - easier
maintenance, to get future fixes without waiting until somebody will
have the time to test attacks on Roundup
2. Quote all HTML on server side and use alternative (wiki) markup for
message decorations
3. Do not allow HTML content to be injected through the URL

> Also note that the Firefox extension NoScript blocks the XSS in this case.

NoScripts blocks everything, doesn't it?

More information about the Python-Dev mailing list