forked from orbit-oss/flask
Expanded the security docs to mention unquoted attributes as dangerous
This commit is contained in:
parent
cb660cd1f1
commit
559d2810d7
2 changed files with 26 additions and 1 deletions
|
|
@ -103,4 +103,4 @@ Werkzeug and Flask will be ported to Python 3 as soon as a solution for
|
||||||
WSGI is found, and we will provide helpful tips how to upgrade existing
|
WSGI is found, and we will provide helpful tips how to upgrade existing
|
||||||
applications to Python 3. Until then, we strongly recommend using Python
|
applications to Python 3. Until then, we strongly recommend using Python
|
||||||
2.6 and 2.7 with activated Python 3 warnings during development, as well
|
2.6 and 2.7 with activated Python 3 warnings during development, as well
|
||||||
as the unicode literals `__future__` feature.
|
as the unicode literals `__future__` feature.
|
||||||
|
|
|
||||||
|
|
@ -30,6 +30,31 @@ careful:
|
||||||
content-type guessing based on the first few bytes so users could
|
content-type guessing based on the first few bytes so users could
|
||||||
trick a browser to execute HTML.
|
trick a browser to execute HTML.
|
||||||
|
|
||||||
|
Another thing that is very important are unquoted attributes. While
|
||||||
|
Jinja2 can protect you from XSS issues by escaping HTML, there is one
|
||||||
|
thing it cannot protect you from: XSS by attribute injection. To counter
|
||||||
|
this possible attack vector, be sure to always quote your attributes with
|
||||||
|
either double or single quotes when using Jinja expressions in them:
|
||||||
|
|
||||||
|
.. sourcecode:: html+jinja
|
||||||
|
|
||||||
|
<a href="{{ href }}">the text</a>
|
||||||
|
|
||||||
|
Why is this necessary? Because if you would not be doing that, an
|
||||||
|
attacker could easily inject custom JavaScript handlers. For example an
|
||||||
|
attacker could inject this piece of HTML+JavaScript:
|
||||||
|
|
||||||
|
.. sourcecode:: html
|
||||||
|
|
||||||
|
onmouseover=alert(document.cookie)
|
||||||
|
|
||||||
|
When the user would then move with the mouse over the link, the cookie
|
||||||
|
would be presented to the user in an alert window. But instead of showing
|
||||||
|
the cookie to the user, a good attacker might also execute any other
|
||||||
|
JavaScript code. In combination with CSS injections the attacker might
|
||||||
|
even make the element fill out the entire page so that the user would
|
||||||
|
just have to have the mouse anywhere on the page to trigger the attack.
|
||||||
|
|
||||||
Cross-Site Request Forgery (CSRF)
|
Cross-Site Request Forgery (CSRF)
|
||||||
---------------------------------
|
---------------------------------
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue