Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Changes between Version 5 and Version 6 of FancyStatus


Ignore:
Timestamp:
06/24/07 17:33:14 (12 years ago)
Author:
Chris Arndt
Comment:

migration notice

Legend:

Unmodified
Added
Removed
Modified
  • FancyStatus

    v5 v6  
    11{{{ 
    2 #!html 
    3 <br> 
    4 <div style="display:block; padding: 4px; border: 2px solid red; color: #C00; font-weight:bold;"> 
    5 Note: this entry was moved to TurboGears newsdoc. 
    6 </div> 
    7 <br> 
     2#!rst 
     3.. note:: This page has been migrated too http://docs.turbogears.org/1.0/RoughDocs/TurboGearsTips. 
    84}}} 
    9  
    10 http://www.turbogears.org/preview/docs/controllers/fancy.html 
    11  
    12 Be careful with the trick using the `XML()` function described in the page linked here. This opens up the possibility of introducing Cross-Site-Scripting vulnerabilities, if you include things in your flash messages that were entered by a user, for example the name of a wiki page or similar without escaping them properly. 
    13  
    14 Consider the following scenario: 
    15  
    16  * User A creates a new wiki page with the title "<script>alert("Vulnerable!");</script>" 
    17  * User B views that page and deletes it (assuming there is a delete function) 
    18  * You controller does `turbogears.flash("Page '%s' deleted." % page.title)` and shows the next page 
    19  * User B will load the page that contains `<div class="flash">Page '<script>alert("Vulnerable!");</script>' deleted.</div>` and the Javascript is sucessfully injected. 
    20  
    21 Without the use of the `XML()` function page.title would get properly escaped and no harm is done. You could, of course, escape page.title seperately and everything would be fine, but it's easy to forget. Granted, you should always escape input from users when redisplaying it later, but Kid makes it easy to forget this, because it normally does not let you insert literal HTML code unescaped.