javascript - Why is simplejson encoder for html escaping with \\u0026 instead of & letting an XSS happen? -


i trying automatically html escape strings going json objects. simplejson has jsonencoderforhtml supposed that. how escapes html:

chunk = chunk.replace('&', '\\u0026') chunk = chunk.replace('<', '\\u003c') chunk = chunk.replace('>', '\\u003e')

1) why using these codes instead of html encoding cgi.escape uses?

which is:

chunk = chunk.replace('&', '&amp;') chunk = chunk.replace('<', '&lt;') chunk = chunk.replace('>', '&gt;')

each of them state:

simplejson: to embed json content in, say, script tag on web page, characters &, < , > should escaped. they cannot escaped usual entities (e.g. &) because not expanded within tags.

cgi.escape: replace special characters "&", "<" , ">" html-safe sequences.

2) part in bold mean here?

other not understanding differences here, core of problem simplejson method lets xss happen, if go in html encoder , change replace calls ones of cgi.escape, no xss.

given input {'label': 'xss here"><script>alert(1)</script>'}

here output simplejson.encoder.jsonencoderforhtml:

{"label": "xss here\"\u003e\u003cscript\u003ealert(1);\u003c/script\u003e"}

here output simplejson.encoder.jsonencoderforhtml , changing codes in replace &amp;, etc. indicated earlier:

{"label": "xss here\"&gt;&lt;script&gt;alert(1);&lt;/script&gt;"}

it used used autocompletion .js script (not between in html file) this:

return $('<a/>').attr('href', result.url)         .append($('<img>').attr('src', imageurl)             .addclass(image_class)             .after($('<span/>')             .addclass(label_class).text(result.label)));

result.label value of key 'label'.

3) why javascript alert displaying 1 simplejson method, not cgi.escape escaping?

are codes \\u003c decoded , treated < characters?

to give more context, don't have in every json handler of web app , potentially forget escape something:

response = {'a': escape(a), 'b': escape(b)} # many more variables here return json.dumps(response)

4) there alternative way of automatically escape html returned in json?

a recursive walk of object tornado.escape.recursive_unicode escaping instead? else?

update: alert, why 1 escape using method?

<div id="alert">a</div> $("#alert").html("xss here\"\u003e\u003cscript\u003ealert(1);\u003c/script\u003e");

http://jsfiddle.net/aclyd/

jsonencoderforhtml makes json safe embedding in <script> tag, not want , there's no reasonable way library.


Comments

Post a Comment

Popular posts from this blog

javascript - RequestAnimationFrame not working when exiting fullscreen switching space on Safari -

request animation frame stops working when exiting fullscreen clicking on original space's safari window. fine if fullscreen mode canceled escape key or calling cancelfullscreen(). steps reproduce: open https://dl.dropboxusercontent.com/u/769042/prezi/safari-fullscreen.html click "draw raf", kittie appears click "fullscreen", go fullscreen click "draw raf", kittie appears go space original safari was, showing "click exit fullscreen mode", click anywhere, out fullscreen click "draw raf", nothing happens what handling click calling: window.requestanimationframe(draw); which draws on canvas context: function draw() { ctx.drawimage(img, math.random()*500|0, math.random()*400|0, 100, 100); } i checked .hidden , .visibilitystate, updated correctly. tested on osx 10.9.3, safari 7.0.4 (9537.76.4). has workaround/solution other switching old settimeout? this sounds webkit bug 88940 : using reque
Read more

Python ctypes access violation with const pointer arguments -

i have api i'm trying wrap in python (2.7.6 on win7) code using ctypes. here's api: client_dllfunc bool clientapi search_exporttoclipcopy(clienthsearch handle, int channel, lpctstr filename, const time_t& from, const time_t& to, const bool* cameras, int length, bool usepassword, lpctstr password, bool includetextin = false, bool excludeplayer = false); the issue i'm having cameras argument; , i've had issue other const pointer arguments well. here's how i'm wrapping api: def search_exporttoclipcopy(self, hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, password, includetextin=true, excludeplayer=false): exporttoclipcopy = self.sdkdll.search_exporttoclipcopy exporttoclipcopy.argtypes = [c_int, c_int, c_wchar_p, c_long, c_long, pointer(c_bool), c_int, c_bool, c_wchar_p, c_bool, c_bool] exporttoclipcopy.restype = c_bool exporttoclipcopy(hsearch, csearch, filename, tfrom, tto, cameras, length, usepassword, pass
Read more