[issue9061] cgi.escape Can Lead To XSS Vulnerabilities

Wed, 23 Jun 2010 08:49:25 -0700 

New submission from Craig Younkins <[email protected]>:

The method in question: http://docs.python.org/library/cgi.html#cgi.escape
http://svn.python.org/view/python/tags/r265/Lib/cgi.py?view=markup   # at the 
bottom
http://code.python.org/hg/trunk/file/3be6ff1eebac/Lib/cgi.py#l1031

"Convert the characters '&', '<' and '>' in string s to HTML-safe sequences. 
Use this if you need to display text that might contain such characters in 
HTML. If the optional flag quote is true, the quotation mark character ('"') is 
also translated; this helps for inclusion in an HTML attribute value, as in <A 
HREF="...">. If the value to be quoted might include single- or double-quote 
characters, or both, consider using the quoteattr() function in the 
xml.sax.saxutils module instead."

cgi.escape never escapes single quote characters, which can easily lead to a 
Cross-Site Scripting (XSS) vulnerability. This seems to be known by many, but a 
quick search reveals many are using cgi.escape for HTML attribute escaping.

The intended use of this method is unclear to me. Up to and including Mako 
0.3.3, this method was the HTML escaping method. Used in this manner, 
single-quoted attributes with user-supplied data are easily susceptible to 
cross-site scripting vulnerabilities.

While the documentation says "if the value to be quoted might include single- 
or double-quote characters... [use the] xml.sax.saxutils module instead," it 
also implies that this method will make input safe for HTML. Because this 
method escapes 4 of the 5 key XML characters, it is reasonable to expect some 
will use it for HTML escaping.

I suggest rewording the documentation for the method making it more clear what 
it should and should not be used for. I would like to see the method changed to 
properly escape single-quotes, but if it is not changed, the documentation 
should explicitly say this method does not make input safe for inclusion in 
HTML.

This is definitely affecting the security of some Python web applications. I 
already mentioned Mako, but I've found this type of bug in other frameworks and 
engines because the creators either called cgi.escape directly or modeled their 
own after it.

Craig Younkins

----------
assignee: d...@python
components: Documentation, Library (Lib)
messages: 108457
nosy: Craig.Younkins, d...@python
priority: normal
severity: normal
status: open
title: cgi.escape Can Lead To XSS Vulnerabilities
versions: Python 2.5, Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3

_______________________________________
Python tracker <[email protected]>
<http://bugs.python.org/issue9061>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to