From 9f6bc93e4de36fc209eb1203845e9505df1ca379 Mon Sep 17 00:00:00 2001 From: Armin Ronacher Date: Tue, 20 Apr 2010 15:12:16 +0200 Subject: [PATCH] Fixed XSS problem by escaping all slashes in JSON. This also probes simplejson first to figure out if it escapes slashes which it did in earlier versions. --- flask.py | 12 +++++++++++- tests/flask_tests.py | 2 ++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/flask.py b/flask.py index 05197c81..cb638e70 100644 --- a/flask.py +++ b/flask.py @@ -10,6 +10,7 @@ :license: BSD, see LICENSE for more details. """ from __future__ import with_statement +import re import os import sys @@ -47,6 +48,12 @@ except (ImportError, AttributeError): pkg_resources = None +# figure out if simplejson escapes slashes. This behaviour was changed +# from one version to another without reason. +if json_available: + _json_escapes_slashes = '\\/' in json.dumps('/') + + class Request(RequestBase): """The request object used by default in flask. Remembers the matched endpoint and view arguments. @@ -271,7 +278,10 @@ def _tojson_filter(string, *args, **kwargs): """Calls dumps for the template engine, escaping Slashes properly.""" if __debug__: _assert_have_json() - return json.dumps(string, *args, **kwargs).replace('"|tojson|safe }}') assert rv == '"<\\/script>"' + rv = flask.render_template_string('{{ "<\0/script>"|tojson|safe }}') + assert rv == '"<\\u0000\\/script>"' class TemplatingTestCase(unittest.TestCase):