help: Problem with cgi form
Max M
maxm at mxm.dk
Mon Feb 25 19:21:26 EST 2002
Jon Ribbens wrote:
> In article <3C7AAF31.8040201 at mxm.dk>, Max M wrote:
>
>>And then print it to the form like:
>>
>>print '<INPUT TYPE=HIDDEN NAME= "last_pos" VALUE='%s'>' % last_byte_pos
>>
> Beware that, in general, that is a bug. You are open to Cross Site
> Scripting attacks. Even in the absence of these, if the value happens
> to contain characters significant to HTML (such as '"', '&', '>', etc)
> then your program will go wrong.
Yeah ok ... I thought that there was a limit to how much should be
explained in one post :-) But here goes:
from cgi import escape
'<INPUT TYPE=HIDDEN NAME= "last_pos" VALUE='%s'>' % escape(last_byte_pos)
Or in 2.2:
from xml.sax.saxutils import quoteattr
'<INPUT TYPE=HIDDEN NAME= "last_pos" VALUE='%s'>' % quoteattr(last_byte_pos)
regards Max M
More information about the Python-list
mailing list