Escape problem
ketulp_baroda at yahoo.com
ketulp_baroda at yahoo.com
Wed Mar 3 04:53:17 EST 2004
Jeff Epler <jepler at unpythonic.net> wrote in message news:<mailman.33.1078241864.12614.python-list at python.org>...
> The exact answer depends on what library you're using in your
> application.
>
> THe low-level answer is that you must properly escape characters that
> would otherwise be treated specially by html.
>
> For example, the output needs to look like this
> <FORM ...>
> <INPUT TYPE="text" NAME="something" VALUE="foo"bar"">
> ...
> </FORM>
>
> If you do not escape or otherwise treat specially the " characters, the
> resulting non-html output will contain something like
> <INPUT TYPE="text" NAME="something" VALUE="foo"bar"">
>
> ... this kind of bug can also lead to cross-site scripting (XSS) problems,
> for instance if an attacker can control the string in question and sets
> it to something like '"><SCRIPT>alert(document.cookie)</SCRIPT>'...
>
> Jeff
Thanks that solyed my problem
More information about the Python-list
mailing list