[issue4860] js_output wrong for cookies with " characters

STINNER Victor Thu, 15 Jan 2009 11:54:02 -0800

STINNER Victor <victor.stin...@haypocalc.com> added the comment:

> What's wrong with < and >?


>>> c=Cookie.Cookie('Customer="</script>";'); print c.js_output()

        <script type="text/javascript">
        <!-- begin hiding
        document.cookie = "Customer="</script>"";
        // end hiding -->
        </script>

It allows HTML/Javascript injection. Well, Python 2.5 already displays 
a warning:

/usr/lib/python2.5/Cookie.py:710: DeprecationWarning: 
Cookie/SmartCookie class is insecure; do not use it

The right fix is maybe to remove deprecated and unsecure function!

_______________________________________
Python tracker <rep...@bugs.python.org>
<http://bugs.python.org/issue4860>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

[issue4860] js_output wrong for cookies with " characters

Reply via email to