help: Problem with cgi form
Gustavo Cordova
gcordova at hebmex.com
Mon Feb 25 18:05:03 EST 2002
>
> In article <3C7AAF31.8040201 at mxm.dk>, Max M wrote:
> > And then print it to the form like:
> >
> > print '<INPUT TYPE=HIDDEN NAME= "last_pos" VALUE='%s'>' %
> last_byte_pos
>
> Beware that, in general, that is a bug. You are open to Cross Site
> Scripting attacks. Even in the absence of these, if the value happens
> to contain characters significant to HTML (such as '"', '&', '>', etc)
> then your program will go wrong.
>
Yes.
AS A RULE, always to AT LEAST these substitutions:
def SafeHtmlSubstitutions(txt):
BasicEntities = [
("&","amp"),
("<","lt"),
(">","gt"),
('"',"quot") ]
for ch,ent in BasicEntities:
txt = txt.replace(ch,"&%s;" % ent)
return txt
That way, the text will be opaque to HTML.
Salutations.
-gustavo
More information about the Python-list
mailing list