I think Anthony is right. His suggested fix is now in trunk. Give it a try.
On Sunday, 5 August 2012 23:21:53 UTC-5, Anthony wrote:
>
> With xmlescape, HTML helpers should still work fine -- xmlescape does not
> escape helpers, only the components within the helpers (I think it
> basically replicates the escaping behavior of web2py views):
>
> >>> xmlescape(A("Hello World", _href="#"))
> '<a href="#">Hello World</a>'
>
> However, with xmlescape, raw HTML will now be escaped:
>
> >>> xmlescape('<a href="#">Hello World</a>')
> '<a href="#">Hello World</a>'
>
> Of course, that can be avoided as usual with XML():
>
> >>> xmlescape(XML('<a href="#">Hello World</a>'))
> '<a href="#">Hello World</a>'
>
> I see this as fixing a security bug rather than a backward compatibility
> issue. Regular flash messages are escaped, along with everything else in
> the view -- why not escape Ajax flash messages?
>
> Anthony
>
> On Sunday, August 5, 2012 11:45:21 PM UTC-4, Massimo Di Pierro wrote:
>>
>> I think
>>
>> response.flash = A("Hello World", _href="#")
>>
>> should be allowed. It was always allowed. This is a backward
>> compatibility issue. Yet I see there is a potential security issue there.
>> I am not sure what the exact solution should be. Perhaps automatic
>> sanitization of flash messages before response?
>>
>> response.flash = XML(str(response.flash), sanitize=True).xml()
>>
>>
>> On Aug 5, 2012, at 10:22 PM, Niphlod wrote:
>>
>> Would serialized HTML messages be escaped then ?
>>
>> What if someone uses response.flash = A("Hello World", _href="#") ?
>>
>> On Monday, August 6, 2012 4:50:31 AM UTC+2, Anthony wrote:
>>>
>>> Bump. Should we replace str() with xmlescape() so Ajax flash messages
>>> get escaped, just like regular flash messages and everything else in the
>>> view?
>>>
>>> Anthony
>>>
>>> On Saturday, August 4, 2012 9:23:53 PM UTC-4, Anthony wrote:
>>>>
>>>> On Saturday, August 4, 2012 7:00:18 PM UTC-4, dbdeveloper wrote:
>>>>>
>>>>> I do not understand what the problem with decodeURIComponent()?
>>>>>
>>>>
>>>> When I tried trunk, I think there was a problem with the encoding of my
>>>> controller file (ANSI instead of UTF-8) -- in that case, I guess
>>>> urllib2.quote didn't yield the correct output for decodeURIComponent (same
>>>> problem in the earlier version, when the escaping was done on the client
>>>> side via the Javascript escape() function). Now it works.
>>>>
>>>> In any case, a remaining issue is that there's still no escaping of
>>>> potentially dangerous content in the flash message. Everything written to
>>>> HTML by web2py is typically escaped, including regular flash messages. The
>>>> only content that isn't getting escaped are flash messages for Ajax
>>>> components. To be consistent (and safe), we should probably escape those
>>>> messages as well (you can always put them in an XML() if you don't want
>>>> them escaped, as with any template content). In main.py, I replaced:
>>>>
>>>> urllib2.quote(str(response.flash).replace('\n',''))
>>>>
>>>> with:
>>>>
>>>> urllib2.quote(xmlescape(response.flash).replace('\n',''))
>>>>
>>>> With that change, the flash message still looks fine (see screenshot
>>>> below).
>>>>
>>>> Anthony
>>>>
>>>>
>>>> <https://lh3.googleusercontent.com/-Z8G64F_zCv4/UB3KLUoUcGI/AAAAAAAABK8/sO9okzpFtJ4/s1600/flash.png>
>>>>
>>>>
>>>>
>>>>
>> --
>> -- mail from:GoogleGroups "web2py-developers" mailing list
>> make speech: web2py-develop...@googlegroups.com
>> unsubscribe: web2py-developers+unsubscr...@googlegroups.com
>> details : http://groups.google.com/group/web2py-developers
>> the project: http://code.google.com/p/web2py/
>> official : http://www.web2py.com/
>>
>>
>>
>>
>>
--
