Warning: Can't synchronize with repository "(default)" (Unsupported version control system "svn": No module named svn). Look in the Trac log for more information.

Version 5 (modified by chris dot arndt at web dot de, 13 years ago) (diff)

Comment about possible security propblems when using XML()

Note: this entry was moved to TurboGears newsdoc.

Be careful with the trick using the XML() function described in the page linked here. This opens up the possibility of introducing Cross-Site-Scripting vulnerabilities, if you include things in your flash messages that were entered by a user, for example the name of a wiki page or similar without escaping them properly.

Consider the following scenario:

  • User A creates a new wiki page with the title "<script>alert("Vulnerable!");</script>"
  • User B views that page and deletes it (assuming there is a delete function)
  • You controller does turbogears.flash("Page '%s' deleted." % page.title) and shows the next page
  • User B will load the page that contains <div class="flash">Page '<script>alert("Vulnerable!");</script>' deleted.</div> and the Javascript is sucessfully injected.

Without the use of the XML() function page.title would get properly escaped and no harm is done. You could, of course, escape page.title seperately and everything would be fine, but it's easy to forget. Granted, you should always escape input from users when redisplaying it later, but Kid makes it easy to forget this, because it normally does not let you insert literal HTML code unescaped.