what does the html attribute encode methond in tornado?
95 views
Skip to first unread message
ybjnew
Jul 22, 2013, 9:15:26 AM7/22/13
to python-...@googlegroups.com
There is a xhtml_escape In tornado, but I dont think it is enought.
look this:
<p title="<img />">abcdefghi</p>
"<img />" is in the attribute of p tag, so it should not be encoded to >img /<
Then, what is the attribute encode methond in tornado ??
look this:
<p title="<img />">abcdefghi</p>
"<img />" is in the attribute of p tag, so it should not be encoded to >img /<
Then, what is the attribute encode methond in tornado ??
aliane abdelouahab
Jul 22, 2013, 9:13:09 PM7/22/13
to python-...@googlegroups.com
i dont understand, but here it gets okey, it dont render >img /<
but if you want to escape only a part, here is simple hack:
<p title={{escape(str("<img />"))}}>abcdefghi</p>
Didip Kerabat
Jul 22, 2013, 10:35:02 PM7/22/13
to python-...@googlegroups.com
I hope I understand the question. I think you are asking: Why Tornado not selectively escapes certain tags/attributes?
preventing cross site injection is a tricky and almost an art by itself.
how do you decide which dom tag/attribute is safe and which one is not?
let me give you an example:
<img src="http://example.com/evilproxy.png?c=<script>alert("pwnd!")</script>" />
or another one:
<style>body { content: "your html now looks like 4chan" }</style>
The general rule of "it is better to be safe than sorry" is usually a good rule to follow.
--
You received this message because you are subscribed to the Google Groups "Tornado Web Server" group.
To unsubscribe from this group and stop receiving emails from it, send an email to python-tornad...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
ybjnew
Jul 23, 2013, 10:23:46 AM7/23/13
to python-...@googlegroups.com
I dont think attribute encode is the same as html encode.
In .net, Microsoft give 2 methods: HttpUtility.HtmlEncode(xxx) and HttpUtility.HtmlAttributeEncode(xxxx)
I think It should also a Javascript attribute encode, and a attribute encode.
In .net, Microsoft give 2 methods: HttpUtility.HtmlEncode(xxx) and HttpUtility.HtmlAttributeEncode(xxxx)
I think It should also a Javascript attribute encode, and a attribute encode.
Ben Darnell
Jul 23, 2013, 9:17:46 PM7/23/13
to Tornado Mailing List
On Tue, Jul 23, 2013 at 10:23 AM, ybjnew <ybj...@gmail.com> wrote:
I dont think attribute encode is the same as html encode.
In .net, Microsoft give 2 methods: HttpUtility.HtmlEncode(xxx) and HttpUtility.HtmlAttributeEncode(xxxx)
These methods seem to be confusingly named. HtmlEncode uses percent-escaping, so it is the equivalent of tornado's url_escape(). HtmlAttributeEncode does roughly the same thing as tornado's xhtml_escape()/escape(); it is safe for both (quoted) attributes and body text.
Reference:
I think It should also a Javascript attribute encode, and a attribute encode.
Javascript escaping is much trickier than escaping elsewhere in HTML (see https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet). You can use json_encode for this, but be careful. The same escaping can be used for non-javascript attributes and body text as long as the escape function covers both angle brackets and quotes (which tornado's escape function does).
-Ben
Reply all
Reply to author
Forward
0 new messages