From 51686f5ab44fce6bc487545f621e199d726b6f50 Mon Sep 17 00:00:00 2001 From: David Lord Date: Sun, 7 Jun 2020 16:45:31 -0700 Subject: [PATCH] expand section on copy/paste security --- docs/security.rst | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/docs/security.rst b/docs/security.rst index 292590c9..94a641d7 100644 --- a/docs/security.rst +++ b/docs/security.rst @@ -259,21 +259,28 @@ certificate key to prevent MITM attacks. - https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning -Copy/Paste Security Issues -~~~~~~~~~~~~~~~~~~~~~~~~~~ -If your website allows users to upload their own code, hidden characters -such as the backspace character (``\b``, ``^H``) can cause the code to -have a different meaning when copy and pasted into terminals. +Copy/Paste to Terminal +---------------------- + +Hidden characters such as the backspace character (``\b``, ``^H``) can +cause text to render differently in HTML than how it is interpreted if +`pasted into a terminal `__. For example, ``import y\bose\bm\bi\bt\be\b`` renders as -``import yosemite`` but becomes ``import os`` when pasted in a terminal. +``import yosemite`` in HTML, but the backspaces are applied when pasted +into a terminal, and it becomes ``import os``. -Consider applying extra filtering, such as replacing all ``\b`` -characters. +If you expect users to copy and paste untrusted code from your site, +such as from comments posted by users on a technical blog, consider +applying extra filtering, such as replacing all ``\b`` characters. .. code-block:: python body = body.replace("\b", "") -- https://security.stackexchange.com/q/39118 +Most modern terminals will warn about and remove hidden characters when +pasting, so this isn't strictly necessary. It's also possible to craft +dangerous commands in other ways that aren't possible to filter. +Depending on your site's use case, it may be good to show a warning +about copying code in general.