ravi-patel/flask
1
0
Fork 0
forked from orbit-oss/flask
Code Pull requests Activity

add section on copy/paste security

Browse source
This commit is contained in:
Kai Chen 2020-05-31 13:51:00 -07:00 committed by David Lord
parent 93dd1709d0
commit 0b6a05f541
No known key found for this signature in database
GPG key ID: 7A1C87E3F5BC42A8
1 changed files with 19 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

19
docs/security.rst
View file

@ -258,3 +258,22 @@ certificate key to prevent MITM attacks.
or upgrade your key incorrectly.
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning
Copy/Paste Security Issues
~~~~~~~~~~~~~~~~~~~~~~~~~~
If your website allows users to upload their own code, hidden characters
such as the backspace character (``\b``, ``^H``) can cause the code to
have a different meaning when copy and pasted into terminals.
For example, ``import y\bose\bm\bi\bt\be\b`` renders as
``import yosemite`` but becomes ``import os`` when pasted in a terminal.
Consider applying extra filtering, such as replacing all ``\b``
characters.
.. code-block:: python
body = body.replace("\b", "")
- https://security.stackexchange.com/q/39118