[issue4860] js_output wrong for cookies with " characters
STINNER Victor
report at bugs.python.org
Thu Jan 15 20:53:56 CET 2009
STINNER Victor <victor.stinner at haypocalc.com> added the comment:
> What's wrong with < and >?
>>> c=Cookie.Cookie('Customer="</script>";'); print c.js_output()
<script type="text/javascript">
<!-- begin hiding
document.cookie = "Customer="</script>"";
// end hiding -->
</script>
It allows HTML/Javascript injection. Well, Python 2.5 already displays
a warning:
/usr/lib/python2.5/Cookie.py:710: DeprecationWarning:
Cookie/SmartCookie class is insecure; do not use it
The right fix is maybe to remove deprecated and unsecure function!
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue4860>
_______________________________________
More information about the Python-bugs-list
mailing list