help: Problem with cgi form

Jon Ribbens jon+usenet at unequivocal.co.uk
Tue Feb 26 07:10:45 CET 2002


In article <3C7AD506.3000906 at mxm.dk>, Max M wrote:
>> Beware that, in general, that is a bug. You are open to Cross Site
>> Scripting attacks. Even in the absence of these, if the value happens
>> to contain characters significant to HTML (such as '"', '&', '>', etc)
>> then your program will go wrong.
> 
> Yeah ok ... I thought that there was a limit to how much should be 
> explained in one post :-) But here goes:
> 
> from cgi import escape
> 
> '<INPUT TYPE=HIDDEN NAME= "last_pos" VALUE='%s'>' % escape(last_byte_pos)

That is also a bug ;-). cgi.escape does not escape single or double
quotes by default, and indeed never escapes single quotes.

> from xml.sax.saxutils import quoteattr
> 
> '<INPUT TYPE=HIDDEN NAME= "last_pos" VALUE='%s'>' % quoteattr(last_byte_pos)

This is also a bug ;-). quoteattr outputs the quotes as well as the
value.

The Python library functions do seem to be trying to make somewhat of
a mountain out of this trivial task. cgi.escape would work in all
situations and would not break backwards compatibility if it simply
always escaped single and double quotes.



More information about the Python-list mailing list