You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
assignee=Noneclosed_at=Nonecreated_at=<Date2021-12-22.13:26:50.501>labels= ['type-security', 'library', '3.11']
title='SimpleCookie.js_output is vulnerable to HTML injection'updated_at=<Date2021-12-22.13:26:50.501>user='https://bugs.python.org/trungpaaa'
In /Lib/http/cookies.py, the output from SimpleCookie.js_output might be parsed as HTML if it contained < and >.
from http import cookies
c = cookies.SimpleCookie()
c["fig"] = "newton</script><script>alert(document.domain)</script>";
// c.js_output()
<script type="text/javascript">
<!-- begin hiding
document.cookie = "fig=\"newton</script><script>alert(document.domain)</script>\"";
// end hiding -->
</script>
We can't simply escape all the special characters because the encoding method is treated differently depending on the document types. For example, the following snippet (from The Tangled Web) is safe in HTML but not in XHTML:
<script type="text/javascript">
var tmp = 'I am harmless! '+alert(1);// Or am I?';
</script>
To avoid messing with the encoding methods, we could encode the cookie string in base64 and let the browser decode it.
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: