Home Original page

Message 283873 - Python tracker

Message283873

Author pdeep5693
Recipients Kyle.Keating, jocassid, martin.panter, pdeep5693, terry.reedy
Date 2016-12-23.08:39:36
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1482482376.61.0.620677310361.issue12129@psf.upfronthosting.co.za>
In-reply-to
Content 
xml minidom.py needs extra validation in setAttributes for certain special characters depending on the attribute name. Attribute values cannot have special characters like <,> and cant be nested as described in the example below

element01 = doc.createElement('element01')
element01.setAttribute('attribute', "script><![CDATA[alert('script!');]]></script>")
doc.firstChild.appendChild(element01)

script shouldn't be allowed as a value for an attribute and I feel it should throw an exception (Value Exception) and as described above <,> shouldn't be allowed as attributes are more like key-value pairs. Could someone tell me if this is right? If it is, then minidom.py needs this extra level of validation for the same
History
Date User Action Args
2016-12-23 08:39:36pdeep5693setrecipients: + pdeep5693, terry.reedy, Kyle.Keating, martin.panter, jocassid
2016-12-23 08:39:36pdeep5693setmessageid: <1482482376.61.0.620677310361.issue12129@psf.upfronthosting.co.za>
2016-12-23 08:39:36pdeep5693linkissue12129 messages
2016-12-23 08:39:36pdeep5693create