Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Changes between Version 4 and Version 5 of FancyStatus


Ignore:
Timestamp:
07/09/06 20:36:02 (13 years ago)
Author:
chris dot arndt at web dot de
Comment:

Comment about possible security propblems when using XML()

Legend:

Unmodified
Added
Removed
Modified
  • FancyStatus

    v4 v5  
    99 
    1010http://www.turbogears.org/preview/docs/controllers/fancy.html 
     11 
     12Be careful with the trick using the `XML()` function described in the page linked here. This opens up the possibility of introducing Cross-Site-Scripting vulnerabilities, if you include things in your flash messages that were entered by a user, for example the name of a wiki page or similar without escaping them properly. 
     13 
     14Consider the following scenario: 
     15 
     16 * User A creates a new wiki page with the title "<script>alert("Vulnerable!");</script>" 
     17 * User B views that page and deletes it (assuming there is a delete function) 
     18 * You controller does `turbogears.flash("Page '%s' deleted." % page.title)` and shows the next page 
     19 * User B will load the page that contains `<div class="flash">Page '<script>alert("Vulnerable!");</script>' deleted.</div>` and the Javascript is sucessfully injected. 
     20 
     21Without the use of the `XML()` function page.title would get properly escaped and no harm is done. You could, of course, escape page.title seperately and everything would be fine, but it's easy to forget. Granted, you should always escape input from users when redisplaying it later, but Kid makes it easy to forget this, because it normally does not let you insert literal HTML code unescaped.