Message79915
> What's wrong with < and >?
>>> c=Cookie.Cookie('Customer="</script>";'); print c.js_output()
<script type="text/javascript">
<!-- begin hiding
document.cookie = "Customer="</script>"";
// end hiding -->
</script>
It allows HTML/Javascript injection. Well, Python 2.5 already displays
a warning:
/usr/lib/python2.5/Cookie.py:710: DeprecationWarning:
Cookie/SmartCookie class is insecure; do not use it
The right fix is maybe to remove deprecated and unsecure function! |
|
Date |
User |
Action |
Args |
2009-01-15 19:53:56 | vstinner | set | recipients:
+ vstinner, noufal |
2009-01-15 19:53:56 | vstinner | set | messageid: <1232049236.59.0.0738130759742.issue4860@psf.upfronthosting.co.za> |
2009-01-15 19:53:55 | vstinner | link | issue4860 messages |
2009-01-15 19:53:55 | vstinner | create | |
|