[issue9061] cgi.escape Can Lead To XSS Vulnerabilities
New submission from Craig Younkins :
The method in question: http://docs.python.org/library/cgi.html#cgi.escape
http://svn.python.org/view/python/tags/r265/Lib/cgi.py?view=markup # at the
bottom
http://code.python.org/hg/trunk/file/3be6ff1eebac/Lib/cgi.py#l1031
"Convert the characters '&', '<' and '>' in string s to HTML-safe sequences.
Use this if you need to display text that might contain such characters in
HTML. If the optional flag quote is true, the quotation mark character ('"') is
also translated; this helps for inclusion in an HTML attribute value, as in . If the value to be quoted might include single- or double-quote
characters, or both, consider using the quoteattr() function in the
xml.sax.saxutils module instead."
cgi.escape never escapes single quote characters, which can easily lead to a
Cross-Site Scripting (XSS) vulnerability. This seems to be known by many, but a
quick search reveals many are using cgi.escape for HTML attribute escaping.
The intended use of this method is unclear to me. Up to and including Mako
0.3.3, this method was the HTML escaping method. Used in this manner,
single-quoted attributes with user-supplied data are easily susceptible to
cross-site scripting vulnerabilities.
While the documentation says "if the value to be quoted might include single-
or double-quote characters... [use the] xml.sax.saxutils module instead," it
also implies that this method will make input safe for HTML. Because this
method escapes 4 of the 5 key XML characters, it is reasonable to expect some
will use it for HTML escaping.
I suggest rewording the documentation for the method making it more clear what
it should and should not be used for. I would like to see the method changed to
properly escape single-quotes, but if it is not changed, the documentation
should explicitly say this method does not make input safe for inclusion in
HTML.
This is definitely affecting the security of some Python web applications. I
already mentioned Mako, but I've found this type of bug in other frameworks and
engines because the creators either called cgi.escape directly or modeled their
own after it.
Craig Younkins
--
assignee: d...@python
components: Documentation, Library (Lib)
messages: 108457
nosy: Craig.Younkins, d...@python
priority: normal
severity: normal
status: open
title: cgi.escape Can Lead To XSS Vulnerabilities
versions: Python 2.5, Python 2.6, Python 2.7, Python 3.1, Python 3.2, Python 3.3
___
Python tracker
<http://bugs.python.org/issue9061>
___
___
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue9061] cgi.escape Can Lead To XSS Vulnerabilities
Changes by Craig Younkins : -- type: -> security ___ Python tracker <http://bugs.python.org/issue9061> ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue9061] cgi.escape Can Lead To XSS Vulnerabilities
Craig Younkins added the comment:
Proof of concept:
print """""" % cgi.escape("' onload='alert(1);' bad='")
--
___
Python tracker
<http://bugs.python.org/issue9061>
___
___
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
[issue9061] cgi.escape Can Lead To XSS Vulnerabilities
Craig Younkins added the comment:
> cgi.escape is for HTML attribute escaping only.
It is not safe for HTML attribute escaping because it does not encode single
quotes.
> "More suitable" for HTML would be the correct interpretation rather make the
> "input safe".
"More suitable, but not quite secure"
Regardless of the intended use of this method, many many people are using it
for insecure HTML entity escaping.
> you should explain or point out to resources where
> 'single quotes' representation in a non-entity format
> in a HTML page has lead to XSS.
print "" % cgi.escape("' onload='alert(1);' bad='")
> The very next paragraph seems to address the security considerations
> while using the cgi module itself, rather than limiting it to
> cgi.escape. It says that:
> "To be on the safe side, if you must pass a string gotten from a form
> to a shell command, you should make sure the string contains only
> alphanumeric characters, dashes, underscores, and periods."
The security concerns related to output on the web are very different from the
concerns related sending user input to a shell command. The needed escaping is
completely different. Also, the security advice above is woefully inadequate.
> Any doc change suggestions you propose?
Convert the characters '&', '<' and '>' in string s to their HTML entity
encoded values. If the optional flag quote is true, the double-quotation mark
character ('"') is also encoded. Note that the output of this method is not
safe to put in an HTML attribute because it does not escape single quotes. If
the value to be quoted might include single- or double-quote characters, or
both, consider using the quoteattr() function in the xml.sax.saxutils module
instead.
> If cgi.escape needs to escape single quotes, what should it be as:
> lsquo/rsquo (for XHTML) and ' or ' for Others?
Sorry, I should have included that in the OP. It should escape to '
It is also advised to escape the forward slash character ('/') to /
See OWASP.org for an explanation of the complexities of the escaping:
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.231_-_HTML_Escape_Before_Inserting_Untrusted_Data_into_HTML_Element_Content
--
___
Python tracker
<http://bugs.python.org/issue9061>
___
___
Python-bugs-list mailing list
Unsubscribe:
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
