Escape problem

ketulp_baroda at yahoo.com ketulp_baroda at yahoo.com
Wed Mar 3 04:53:17 EST 2004


Jeff Epler <jepler at unpythonic.net> wrote in message news:<mailman.33.1078241864.12614.python-list at python.org>...
> The exact answer depends on what library you're using in your
> application.
> 
> THe low-level answer is that you must properly escape characters that
> would otherwise be treated specially by html.
> 
> For example, the output needs to look like this
>     <FORM ...>
>     <INPUT TYPE="text" NAME="something" VALUE="foo"bar&quot">
>     ...
>     </FORM>
> 
> If you do not escape or otherwise treat specially the " characters, the
> resulting non-html output will contain something like
>     <INPUT TYPE="text" NAME="something" VALUE="foo"bar"">
> 
> ... this kind of bug can also lead to cross-site scripting (XSS) problems,
> for instance if an attacker can control the string in question and sets
> it to something like '"><SCRIPT>alert(document.cookie)</SCRIPT>'...
> 
> Jeff

Thanks that solyed my problem



More information about the Python-list mailing list