Thanks for responding! The XML() helper is described in the online web2py book in section 5.2.
Basically, it prevents characters that are special to HTML from being escaped in the output of other web2py helpers. The sanitize argument tells XML() to escape all but a permitted set of tags and allowed attributes. Massimo has some examples in the book of using XML() to escape <script> tags to prevent javascript XSS attacks while allowing innocuous markup to pass through unaltered. The myXML() wrapper I wrote adds 2 tags, 'object' and 'embed' and specifies with allowed attributes 'height' and 'width' for object and 'allowfullscreen', 'src', and 'type'. These seem to be sufficient to allow one to go to YouTube, Vimeo, or MetaCafe, click the embed button, copy the html, paste it into the CKEditor instance in my application, and allow the video to play when my application renders the user's content. So, for example, if the input a user submits contains video embedding code like this: <object width="400" height="225"><param name="allowfullscreen" value="true" /><param name="allowscriptaccess" value="always" /><param name="movie" value="http://vimeo.com/moogaloop.swf? clip_id=12475071&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" / ><embed src="http://vimeo.com/moogaloop.swf? clip_id=12475071&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" type="application/x-shockwave-flash" allowfullscreen="true" allowscriptaccess="always" width="400" height="225"></embed></object> then myXML() will turn it into <object height="225" width="400"><param><param><param><embed allowfullscreen="true" src="http://vimeo.com/moogaloop.swf? clip_id=12475071&server=vimeo.com&show_title=1&show_byline=1&show_portrait=0&color=&fullscreen=1" type="application/x-shockwave-flash"></embed></object> Notice that the <param> tags are escaped and their attributes are removed. Also notice that the "allowscriptaccess" tag has been removed from the <embed> tag. Surprisingly, removing this stuff doesn't seem to affect the display and playback of the video. So what I'm trying to find out is whether this level of escaping is sufficient to prevent anything harmful from being served by my application or, if not, what additional validation and filtering is needed. You asked about my upload form. Basically it looks like this: fields = [Field("edited", 'string', default=itemtext, requires=IS_NOT_EMPTY(), widget=ckeditor_basic, formstyleitem=None, ) ] form = SQLFORM.factory(*fields) if form.accepts(request.vars, session): session.flash = 'Edit accepted.' #import pdb; pdb.set_trace() update(form.vars.edited) ... etc .. elif form.errors: response.flash = 'Form has errors!' else: response.flash = 'Fill out the form' return dict(form=form) The ckeditor_basic widget is a wrapper that replaces a textarea with a CKEditor instance. So what the user get is the ability to compose content with a limited set of markup including links, images, and embedded video. Note that there is no support for uploading the actual image or video files. When the user submits the content, my application stores it verbatim to be served later after passing it through the myXML() function. Thanks, Mike On Jul 1, 2:40 pm, GoldenTiger <[email protected]> wrote: > I don't know how XML function works, let me see your upload form code > and any html output of myXML > > On 1 jul, 18:32, MikeEllis <[email protected]> wrote: > > > > > I'm developing an app that needs to allow users to create and view > > content that includes links, images, and embedded video, e.g. from > > YouTube. The following wrapper for the XML function seems the minimum > > set that will do the job, but I'm concerned about XSS attacks. > > > def myXML(text): > > return XML(text, sanitize=True, > > permitted_tags=['a', 'b', 'blockquote', 'br/', 'i', 'li', > > 'ol', 'ul', 'p', 'cite', 'code', 'pre', > > 'img/','object','embed'], > > allowed_attributes={'a':['href', 'title'], > > 'img':['src', 'alt'], 'blockquote':['type'], > > 'object':['height','width'], > > 'embed':['allowfullscreen','src','type'], > > }) > > > Any suggestions from the security experts in the community? > > > Thanks, > > Mike
