Python cross-site scripting exploits?
A.M. Kuchling
akuchlin at ute.mems-exchange.org
Thu May 23 09:56:15 EDT 2002
In article <DuIBcWA5WK78Ewyc at jessikat.fsnet.co.uk>,
Robin Becker wrote:
> The alleged fix seems to involve more complete argument checking, is
> that required for any such defence? What should the request response be?
CSRF attacks have nothing to do with eval() or compile(), but by
including untrusted bits of text in HTML output without escaping them.
This means that if someone manages to input <script>...javascript
code...</script> into the program (perhaps by putting it in their CVS
checkin message), someone who comes along and views the page later
will end up running that JavaScript code.
The solution is difficult: you just have to be very careful to always
escape text of unknown provenance that's in HTML.
--amk
More information about the Python-list
mailing list