help: Problem with cgi form
Gustavo Cordova
gcordova at hebmex.com
Mon Feb 25 18:05:03 EST 2002
More information about the Python-list mailing list
Mon Feb 25 18:05:03 EST 2002
- Previous message (by thread): help: Problem with cgi form
- Next message (by thread): help: Problem with cgi form
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
> > In article <3C7AAF31.8040201 at mxm.dk>, Max M wrote: > > And then print it to the form like: > > > > print '<INPUT TYPE=HIDDEN NAME= "last_pos" VALUE='%s'>' % > last_byte_pos > > Beware that, in general, that is a bug. You are open to Cross Site > Scripting attacks. Even in the absence of these, if the value happens > to contain characters significant to HTML (such as '"', '&', '>', etc) > then your program will go wrong. > Yes. AS A RULE, always to AT LEAST these substitutions: def SafeHtmlSubstitutions(txt): BasicEntities = [ ("&","amp"), ("<","lt"), (">","gt"), ('"',"quot") ] for ch,ent in BasicEntities: txt = txt.replace(ch,"&%s;" % ent) return txt That way, the text will be opaque to HTML. Salutations. -gustavo
- Previous message (by thread): help: Problem with cgi form
- Next message (by thread): help: Problem with cgi form
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Python-list mailing list