With xmlescape, HTML helpers should still work fine -- xmlescape does not
escape helpers, only the components within the helpers (I think it
basically replicates the escaping behavior of web2py views):
>>> xmlescape(A("Hello World", _href="#"))
'<a href="#">Hello World</a>'
However, with xmlescape, raw HTML will now be escaped:
>>> xmlescape('<a href="#">Hello World</a>')
'<a href="#">Hello World</a>'
Of course, that can be avoided as usual with XML():
>>> xmlescape(XML('<a href="#">Hello World</a>'))
'<a href="#">Hello World</a>'
I see this as fixing a security bug rather than a backward compatibility
issue. Regular flash messages are escaped, along with everything else in
the view -- why not escape Ajax flash messages?
Anthony
On Sunday, August 5, 2012 11:45:21 PM UTC-4, Massimo Di Pierro wrote:
>
> I think
>
> response.flash = A("Hello World", _href="#")
>
> should be allowed. It was always allowed. This is a backward compatibility
> issue. Yet I see there is a potential security issue there.
> I am not sure what the exact solution should be. Perhaps automatic
> sanitization of flash messages before response?
>
> response.flash = XML(str(response.flash), sanitize=True).xml()
>
>
> On Aug 5, 2012, at 10:22 PM, Niphlod wrote:
>
> Would serialized HTML messages be escaped then ?
>
> What if someone uses response.flash = A("Hello World", _href="#") ?
>
> On Monday, August 6, 2012 4:50:31 AM UTC+2, Anthony wrote:
>>
>> Bump. Should we replace str() with xmlescape() so Ajax flash messages get
>> escaped, just like regular flash messages and everything else in the view?
>>
>> Anthony
>>
>> On Saturday, August 4, 2012 9:23:53 PM UTC-4, Anthony wrote:
>>>
>>> On Saturday, August 4, 2012 7:00:18 PM UTC-4, dbdeveloper wrote:
>>>>
>>>> I do not understand what the problem with decodeURIComponent()?
>>>>
>>>
>>> When I tried trunk, I think there was a problem with the encoding of my
>>> controller file (ANSI instead of UTF-8) -- in that case, I guess
>>> urllib2.quote didn't yield the correct output for decodeURIComponent (same
>>> problem in the earlier version, when the escaping was done on the client
>>> side via the Javascript escape() function). Now it works.
>>>
>>> In any case, a remaining issue is that there's still no escaping of
>>> potentially dangerous content in the flash message. Everything written to
>>> HTML by web2py is typically escaped, including regular flash messages. The
>>> only content that isn't getting escaped are flash messages for Ajax
>>> components. To be consistent (and safe), we should probably escape those
>>> messages as well (you can always put them in an XML() if you don't want
>>> them escaped, as with any template content). In main.py, I replaced:
>>>
>>> urllib2.quote(str(response.flash).replace('\n',''))
>>>
>>> with:
>>>
>>> urllib2.quote(xmlescape(response.flash).replace('\n',''))
>>>
>>> With that change, the flash message still looks fine (see screenshot
>>> below).
>>>
>>> Anthony
>>>
>>>
>>> <https://lh3.googleusercontent.com/-Z8G64F_zCv4/UB3KLUoUcGI/AAAAAAAABK8/sO9okzpFtJ4/s1600/flash.png>
>>>
>>>
>>>
>>>
> --
> -- mail from:GoogleGroups "web2py-developers" mailing list
> make speech: [email protected]
> unsubscribe: [email protected]
> details : http://groups.google.com/group/web2py-developers
> the project: http://code.google.com/p/web2py/
> official : http://www.web2py.com/
>
>
>
>
>
--
