Browse files

Expanded the security docs to mention unquoted attributes as dangerous

  • Loading branch information...
1 parent cb660cd commit 559d2810d7b6f2938cac402636cc689016f28520 @mitsuhiko mitsuhiko committed Jul 18, 2010
Showing with 26 additions and 1 deletion.
  1. +1 −1 docs/foreword.rst
  2. +25 −0 docs/security.rst
View
2 docs/foreword.rst
@@ -103,4 +103,4 @@ Werkzeug and Flask will be ported to Python 3 as soon as a solution for
WSGI is found, and we will provide helpful tips how to upgrade existing
applications to Python 3. Until then, we strongly recommend using Python
2.6 and 2.7 with activated Python 3 warnings during development, as well
- as the unicode literals `__future__` feature.
+as the unicode literals `__future__` feature.
View
25 docs/security.rst
@@ -30,6 +30,31 @@ careful:
content-type guessing based on the first few bytes so users could
trick a browser to execute HTML.
+Another thing that is very important are unquoted attributes. While
+Jinja2 can protect you from XSS issues by escaping HTML, there is one
+thing it cannot protect you from: XSS by attribute injection. To counter
+this possible attack vector, be sure to always quote your attributes with
+either double or single quotes when using Jinja expressions in them:
+
+.. sourcecode:: html+jinja
+
+ <a href="{{ href }}">the text</a>
+
+Why is this necessary? Because if you would not be doing that, an
+attacker could easily inject custom JavaScript handlers. For example an
+attacker could inject this piece of HTML+JavaScript:
+
+.. sourcecode:: html
+
+ onmouseover=alert(document.cookie)
+
+When the user would then move with the mouse over the link, the cookie
+would be presented to the user in an alert window. But instead of showing
+the cookie to the user, a good attacker might also execute any other
+JavaScript code. In combination with CSS injections the attacker might
+even make the element fill out the entire page so that the user would
+just have to have the mouse anywhere on the page to trigger the attack.
+
Cross-Site Request Forgery (CSRF)
---------------------------------

0 comments on commit 559d281

Please sign in to comment.