Message 79915 - Python tracker

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

In-reply-to
Author	vstinner
Recipients	noufal, vstinner
Date	2009年01月15日.19:53:55
SpamBayes Score	0.0077512963
Marked as misclassified	No
Message-id	<1232049236.59.0.0738130759742.issue4860@psf.upfronthosting.co.za>

Content
> What's wrong with < and >? >>> c=Cookie.Cookie('Customer="</script>";'); print c.js_output() <script type="text/javascript"> <!-- begin hiding document.cookie = "Customer="</script>""; // end hiding --> </script> It allows HTML/Javascript injection. Well, Python 2.5 already displays a warning: /usr/lib/python2.5/Cookie.py:710: DeprecationWarning: Cookie/SmartCookie class is insecure; do not use it The right fix is maybe to remove deprecated and unsecure function!

Content

> What's wrong with < and >?
>>> c=Cookie.Cookie('Customer="</script>";'); print c.js_output()
 <script type="text/javascript">
 <!-- begin hiding
 document.cookie = "Customer="</script>"";
 // end hiding -->
 </script>
It allows HTML/Javascript injection. Well, Python 2.5 already displays 
a warning:
/usr/lib/python2.5/Cookie.py:710: DeprecationWarning: 
Cookie/SmartCookie class is insecure; do not use it
The right fix is maybe to remove deprecated and unsecure function!

History
Date	User	Action	Args
2009年01月15日 19:53:56	vstinner	set	recipients: + vstinner, noufal
2009年01月15日 19:53:56	vstinner	set	messageid: <1232049236.59.0.0738130759742.issue4860@psf.upfronthosting.co.za>
2009年01月15日 19:53:55	vstinner	link	issue4860 messages
2009年01月15日 19:53:55	vstinner	create

homepage