Escape problem

K

ketulp_baroda

Hi
I am developing a web application.
I have a string 'foo"bar"' say in variable s.
When I print s on the python shell it prints correctly 'foo"bar"'
whereas when I try to display s on the form it just prints 'foo'. What
should I do to print complete string 'foo"bar"' on the form
 
J

Jeff Epler

The exact answer depends on what library you're using in your
application.

THe low-level answer is that you must properly escape characters that
would otherwise be treated specially by html.

For example, the output needs to look like this
<FORM ...>
<INPUT TYPE="text" NAME="something" VALUE="foo&quot;bar&quot">
...
</FORM>

If you do not escape or otherwise treat specially the " characters, the
resulting non-html output will contain something like
<INPUT TYPE="text" NAME="something" VALUE="foo"bar"">

.... this kind of bug can also lead to cross-site scripting (XSS) problems,
for instance if an attacker can control the string in question and sets
it to something like '"><SCRIPT>alert(document.cookie)</SCRIPT>'...

Jeff
 
T

Terry Reedy

Hi
I am developing a web application.
I have a string 'foo"bar"' say in variable s.
When I print s on the python shell it prints correctly 'foo"bar"'
whereas when I try to display s on the form it just prints 'foo'. What
should I do to print complete string 'foo"bar"' on the form
Click to expand...

If I understand correctly, you are trying to print a string with an
embedded double quote ("), which html interpretes as a metachar rather than
as content. Isn't there an entity reference for the double quote char?
named 'quote' maybe?

tjr
 
T

Thomas Guettler

Am Tue, 02 Mar 2004 06:57:19 -0800 schrieb ketulp_barod:
Hi
I am developing a web application.
I have a string 'foo"bar"' say in variable s.
When I print s on the python shell it prints correctly 'foo"bar"'
whereas when I try to display s on the form it just prints 'foo'. What
should I do to print complete string 'foo"bar"' on the form
Click to expand...

Hi,

have a look at the HTML source-code. Does it look right?

If you want to use the value in an attribute,
you need to quote it:

cgi.escape(s, 1)

thomas
 
K

ketulp_baroda

Jeff Epler said:
The exact answer depends on what library you're using in your
application.

THe low-level answer is that you must properly escape characters that
would otherwise be treated specially by html.

For example, the output needs to look like this
<FORM ...>
<INPUT TYPE="text" NAME="something" VALUE="foo&quot;bar&quot">
...
</FORM>

If you do not escape or otherwise treat specially the " characters, the
resulting non-html output will contain something like
<INPUT TYPE="text" NAME="something" VALUE="foo"bar"">

... this kind of bug can also lead to cross-site scripting (XSS) problems,
for instance if an attacker can control the string in question and sets
it to something like '"><SCRIPT>alert(document.cookie)</SCRIPT>'...

Jeff
Click to expand...

Thanks that solyed my problem
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Problem Splitting Text String 2
What is the most astounding C++ syntax construct? 0
Do you know any other interesting features about coding in Python? 5
Obtaining "the" name of a function/method 3
Reversing backslashed escape sequences 3
escaping/encoding/formatting in python 9
PyWart: The problem with "print" 102
pyodbc connect string 0

Members online

Total: 27 (members: 2, guests: 25)
Robots: 455

Forum statistics

Threads
473,769
Messages
2,569,580
Members
45,055
Latest member
SlimSparkKetoACVReview

Latest Threads

Top