This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

classification
Title: SimpleCookie.js_output is vulnerable to HTML injection
Type: security Stage:
Components: Library (Lib) Versions: Python 3.11
process
Status: open Resolution:
Dependencies: Superseder:
Assigned To: Nosy List: trungpaaa
Priority: normal Keywords:

Created on 2021-12-22 13:26 by trungpaaa, last changed 2022-04-11 14:59 by admin.

Messages (1)
msg409035 - (view) Author: Trung Pham (trungpaaa) Date: 2021-12-22 13:26 
In /Lib/http/cookies.py, the output from SimpleCookie.js_output might be parsed as HTML if it contained < and >.

```
from http import cookies
c = cookies.SimpleCookie()
c["fig"] = "newton</script><script>alert(document.domain)</script>";

// c.js_output()

<script type="text/javascript">
<!-- begin hiding
document.cookie = "fig=\"newton</script><script>alert(document.domain)</script>\"";
// end hiding -->
</script>
```

We can't simply escape all the special characters because the encoding method is treated differently depending on the document types. For example, the following snippet (from The Tangled Web) is safe in HTML but not in XHTML:

```
<script type="text/javascript">
    var tmp = 'I am harmless! &#x27;+alert(1);// Or am I?';
</script>
```

To avoid messing with the encoding methods, we could encode the cookie string in base64 and let the browser decode it.

```
// c.js_output()
<script type="text/javascript">
document.cookie = base64decode(<ENCODED>);
</script>

```

After searching around on Github, I think this function is rarely used so making it deprecated is also an option.
History
Date User Action Args
2022-04-11 14:59:53adminsetgithub: 90309
2021-12-22 13:26:50trungpaaacreate