safe cgi parameter
Robin Becker
robin at reportlab.com
Mon Jun 4 13:50:54 EDT 2007
I'm trying to pass xml into a cgi script and have some problems because I both
want to escape all my inputs (to avoid the possibility of an html injection
attack) and also allow my xml to be obtained in its original form.
I thought of this
from xml.sax.saxutils import escape as xmlEscape
class SafeCgiParam(str):
def __new__(cls,v):
return str.__new__(cls,xmlEscape(v))
def __init__(self,v):
self.__raw__ = v
so
>>> x=SafeCgiParam('a<&>b')
>>> print x
a<&>b
>>> print x.__raw__
a<&>b
ie always wrap the value, but access to the original is possible via __raw__.
However, if you do anything like x.strip() the original is lost. I'm not sure
that's a bad thing, but I thought I would ask what others do for this problem.
--
Robin Becker
More information about the Python-list
mailing list