Re: [Python-Dev] Use of cgi.escape can lead to XSS vulnerabilities

[Craig Younkins]

http://bugs.python.org/issue9061

On Tue, Jun 22, 2010 at 5:29 PM, Bill Janssen jans...@parc.com wrote:

 Craig Younkins cyounk...@gmail.com wrote:

  cgi.escape never escapes single quote characters, which can easily lead
 to a
  Cross-Site Scripting (XSS) vulnerability. This seems to be known by many,
  but a quick search reveals many are using cgi.escape for HTML attribute
  escaping.

 Did you file a bug report?

 Bill

___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

[Python-Dev] Use of cgi.escape can lead to XSS vulnerabilities

[Craig Younkins]

Hello,

The method in question: http://docs.python.org/library/cgi.html#cgi.escape
http://svn.python.org/view/python/tags/r265/Lib/cgi.py?view=markup   # at
the bottom

Convert the characters '', '' and '' in string s to HTML-safe sequences.
Use this if you need to display text that might contain such characters in
HTML. If the optional flag quote is true, the quotation mark character ('')
is also translated; this helps for inclusion in an HTML attribute value, as
in A HREF= If the value to be quoted might include single- or
double-quote characters, or both, consider using the quoteattr() function in
the xml.sax.saxutils module instead.

cgi.escape never escapes single quote characters, which can easily lead to a
Cross-Site Scripting (XSS) vulnerability. This seems to be known by many,
but a quick search reveals many are using cgi.escape for HTML attribute
escaping.

The intended use of this method is unclear to me. Up to and including the
latest published version of Mako (0.3.3), this method was the HTML escaping
method. Used in this manner, single-quoted attributes with user-supplied
data are easily susceptible to cross-site scripting vulnerabilities.

Proof of concept in Mako:
 from mako.template import Template
 print Template(div class='${data}',
default_filters=['h']).render(data=' onload='alert(1);' id=')
div class='' onload='alert(1);' id=''

I've emailed Michael Bayer, the creator of Mako, and this will be fixed in
version 0.3.4.

While the documentation says if the value to be quoted might include
single- or double-quote characters... [use the] xml.sax.saxutils module
instead, it also implies that this method will make input safe for HTML.
Because this method escapes 4 of the 5 key XML characters, it is reasonable
to expect some will use it in the manner Mako did.

I suggest rewording the documentation for the method making it more clear
what it should and should not be used for. I would like to see the method
changed to properly escape single-quotes, but if it is not changed, the
documentation should explicitly say this method does not make input safe for
inclusion in HTML.

Shameless plug: http://www.PythonSecurity.org/http://www.pythonsecurity.org/

Craig Younkins
___
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com