safe cgi parameter

Robin Becker robin at reportlab.com
Mon Jun 4 19:50:54 CEST 2007


I'm trying to pass xml into a cgi script and have some problems because I both 
want to escape all my inputs (to avoid the possibility of an html injection 
attack) and also allow my xml to be obtained in its original form.

I thought of this

from xml.sax.saxutils import escape as xmlEscape
class SafeCgiParam(str):
	def __new__(cls,v):
		return str.__new__(cls,xmlEscape(v))
	def __init__(self,v):
		self.__raw__ = v


so

 >>> x=SafeCgiParam('a<&>b')
 >>> print x
a&lt;&amp;&gt;b
 >>> print x.__raw__
a<&>b


ie always wrap the value, but access to the original is possible via __raw__.

However, if you do anything like x.strip() the original is lost. I'm not sure 
that's a bad thing, but I thought I would ask what others do for this problem.
-- 
Robin Becker




More information about the Python-list mailing list