I am trying automatically html escape strings going to json objects. simplejson has JSONEncoderForHTML that should do just that. Here's how it speeds up html:
chunk = chunk.replace('&', '\\u0026')
chunk = chunk.replace('<', '\\u003c')
chunk = chunk.replace('>', '\\u003e')
1) Why are these codes used instead of html-coding cgi.escape ?
What is:
chunk = chunk.replace('&', '&')
chunk = chunk.replace('<', '<')
chunk = chunk.replace('>', '>')
Each of them:
simplejson: to embed JSON content, for example, in a script tag on a web page, the characters &, <and> must be escaped. They cannot be escaped with regular objects (e.g. &), because they are not extended in tags.
cgi.escape: "&", "<" " > " HTML .
2) ?
, , simplejson XSS , html- cgi.escape, XSS.
{'label': 'XSS HERE"><script>alert(1)</script>'}
simplejson.encoder.JSONEncoderForHTML:
{"label": "XSS HERE\"\u003e\u003cScript\u003eAlert(1);\u003c/Script\u003e"}
simplejson.encoder.JSONEncoderForHTML replace & .., :
{"label": "XSS HERE\"><Script>Alert(1);</Script>"}
.js script ( html):
return $('<a/>').attr('href', result.url)
.append($('<img>').attr('src', imageurl)
.addClass(image_class)
.after($('<span/>')
.addClass(label_class).text(result.label)));
result.label - 'label'.
3) , javascript, 1 simplejson, cgi.escape?
\\u003c < ?
, , JSON - , , - :
response = {'A': Escape(a), 'B': Escape(b)}
return json.dumps(response)
4) html, json?
, tornado.escape.recursive_unicode, ?
- ?
: , ?
<div id="alert">a</div>
$("#alert").html("XSS HERE\"\u003e\u003cScript\u003ealert(1);\u003c/Script\u003e");
http://jsfiddle.net/AcLYd/