[web2py] Re: howto prevent XSS in json data

Tue, 16 Apr 2019 15:32:41 -0700 


On Tuesday, April 16, 2019 at 8:03:55 AM UTC-7, Alex wrote:
>
> Thanks for your suggestions. Although nothing gets me the desired result. 
> If I use urllib.quote or XML in the controller way too much gets escaped 
> (all < and > signs, blanks, etc.) which is not what I want. And I'd have to 
> do this for all attributes in every controller function.
>
> My problem is exactly the same as in this stackoverflow question for 
> django:
>
> https://stackoverflow.com/questions/14290517/safely-using-json-with-html-inside-of-the-json-in-django-templates
> in Django there seems to be an escapejs filter
>
>
Did you look at XML's permittted_tags and allowed_attributes? 

Then I found out that there is an ASSIGNJS helper in web2py which is 
> actually exactly what I need. Therefor I could replace
>
> <script type="text/javascript">
> var filterSettings = {{=XML(filter_settings)}};
> </script>
>
> with
>
> <script type="text/javascript">
> {{=ASSIGNJS(filterSettings=filter_settings)}};
> </script>
>
> and expect everything to work fine and safe. Only to find out that this is 
> vulnerable to the same exploit (at least in web2py 2.12.3). In case this 
> still happens with the newest web2py version this is a major security flaw 
> - if I'm not mistaken. I'll test this soon and then get back here.
>
> why we're still using such an old version? I waited very long until web2py 
> was Python 3 ready because upgrading web2py in our production system 
> involves a lot of work (update deployment process and all instances, lots 
> of testing, etc.). Since we need to upgrade to Python 3 anyway we only want 
> to upgrade once for now.
>
>
Goodness.  I'm feeling guilty about using 2.15.4, which is 2 1/2 years 
old.  At home I still have 2.14.6 on Windows  -- 3 years old, but I'm the 
only user, and I do try out newer versions at times.

/dps

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to