Y
On Jun 18, 1:51 pm, Anthony <[email protected]> wrote:
> Unless you're writing you're own raw SQL, I think the DAL is supposed to
> protect against SQL injection attacks. And if you're returning code to any
> views, the template engine should escape it properly before rendering. Have
> you successfully executed an actual attack?
Yes. At least I think I did.
I'm not really an expert in this domain. But I did hook up the jQuery
edit in place function from the link I posted at the top post. Then I
did a db insertion per the method listed in my original post. I
managed to insert a script in a text field, something like this:
here's some text<script>alert('hello world');</script>some more
text
Later, when I displayed the string in my web2py view, the alert was
executed successfully. Then I escaped the entire string with the
XML(...,sanitize=True) and the script was no longer executed.
Obviously, it could have been a much more malicious piece of
javascript. I honestly don't know if I'm doing something stupid here,
or if I was clever ... again, I have no experience in these matters.
It just seemed like it was a hole of some sort and I'm asking that
someone much more versed in these matters make a more educated
determination than I. I don't want to be a Chicken Little and claim
the "sky is falling."
