On Fri, Apr 13, 2012 at 9:53 PM, Éric Araujo <e...@netwok.org> wrote: > bugs.python.org already sanitizes the ok_message and Ezio already posted a > patch to the upstream bug tracker, so I don’t see what else we could do.
I am +1 with Glyph that XSS protection in Roundup is an unreliable hack. Ezio's patch just prolongs the agony - it doesn't make it better. Code becomes less maintainable. There are two solutions to that: 1. Use specialized library such as http://pypi.python.org/pypi/MarkupSafe/ - benefits - easier maintenance, to get future fixes without waiting until somebody will have the time to test attacks on Roundup 2. Quote all HTML on server side and use alternative (wiki) markup for message decorations 3. Do not allow HTML content to be injected through the URL > Also note that the Firefox extension NoScript blocks the XSS in this case. NoScripts blocks everything, doesn't it? _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
