This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author trungpaaa
Recipients trungpaaa
Date 2021-12-22.13:26:50
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1640179610.51.0.982763035039.issue46151@roundup.psfhosted.org>
In-reply-to
Content 
In /Lib/http/cookies.py, the output from SimpleCookie.js_output might be parsed as HTML if it contained < and >.

```
from http import cookies
c = cookies.SimpleCookie()
c["fig"] = "newton</script><script>alert(document.domain)</script>";

// c.js_output()

<script type="text/javascript">
<!-- begin hiding
document.cookie = "fig=\"newton</script><script>alert(document.domain)</script>\"";
// end hiding -->
</script>
```

We can't simply escape all the special characters because the encoding method is treated differently depending on the document types. For example, the following snippet (from The Tangled Web) is safe in HTML but not in XHTML:

```
<script type="text/javascript">
    var tmp = 'I am harmless! &#x27;+alert(1);// Or am I?';
</script>
```

To avoid messing with the encoding methods, we could encode the cookie string in base64 and let the browser decode it.

```
// c.js_output()
<script type="text/javascript">
document.cookie = base64decode(<ENCODED>);
</script>

```

After searching around on Github, I think this function is rarely used so making it deprecated is also an option.
History
Date User Action Args
2021-12-22 13:26:50trungpaaasetrecipients: + trungpaaa
2021-12-22 13:26:50trungpaaasetmessageid: <1640179610.51.0.982763035039.issue46151@roundup.psfhosted.org>
2021-12-22 13:26:50trungpaaalinkissue46151 messages
2021-12-22 13:26:50trungpaaacreate