R
Robin Becker
I'm trying to pass xml into a cgi script and have some problems because I both
want to escape all my inputs (to avoid the possibility of an html injection
attack) and also allow my xml to be obtained in its original form.
I thought of this
from xml.sax.saxutils import escape as xmlEscape
class SafeCgiParam(str):
def __new__(cls,v):
return str.__new__(cls,xmlEscape(v))
def __init__(self,v):
self.__raw__ = v
so
a<&>b
ie always wrap the value, but access to the original is possible via __raw__.
However, if you do anything like x.strip() the original is lost. I'm not sure
that's a bad thing, but I thought I would ask what others do for this problem.
want to escape all my inputs (to avoid the possibility of an html injection
attack) and also allow my xml to be obtained in its original form.
I thought of this
from xml.sax.saxutils import escape as xmlEscape
class SafeCgiParam(str):
def __new__(cls,v):
return str.__new__(cls,xmlEscape(v))
def __init__(self,v):
self.__raw__ = v
so
a<&>b
ie always wrap the value, but access to the original is possible via __raw__.
However, if you do anything like x.strip() the original is lost. I'm not sure
that's a bad thing, but I thought I would ask what others do for this problem.