New submission from Trung Pham <trungp...@gmail.com>:
In /Lib/http/cookies.py, the output from SimpleCookie.js_output might be parsed
as HTML if it contained < and >.
```
from http import cookies
c = cookies.SimpleCookie()
c["fig"] = "newton</script><script>alert(document.domain)</script>";
// c.js_output()
<script type="text/javascript">
<!-- begin hiding
document.cookie =
"fig=\"newton</script><script>alert(document.domain)</script>\"";
// end hiding -->
</script>
```
We can't simply escape all the special characters because the encoding method
is treated differently depending on the document types. For example, the
following snippet (from The Tangled Web) is safe in HTML but not in XHTML:
```
<script type="text/javascript">
var tmp = 'I am harmless! '+alert(1);// Or am I?';
</script>
```
To avoid messing with the encoding methods, we could encode the cookie string
in base64 and let the browser decode it.
```
// c.js_output()
<script type="text/javascript">
document.cookie = base64decode(<ENCODED>);
</script>
```
After searching around on Github, I think this function is rarely used so
making it deprecated is also an option.
----------
components: Library (Lib)
messages: 409035
nosy: trungpaaa
priority: normal
severity: normal
status: open
title: SimpleCookie.js_output is vulnerable to HTML injection
type: security
versions: Python 3.11
_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue46151>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe:
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
