Menu
Is there a good, actively maintained python library available for filtering malicious input such as XSS?
412
To protect most from XSS vulnerabilities, follow three practices: Escape user input. Escaping means to convert the key characters in the data that a web page receives to prevent the data from being interpreted in any malicious way. It doesn't allow the special characters to be rendered.
Cross-site scripting (XSS) is a computer security vulnerability that allows malicious attackers to inject client-side script into web pages viewed by other users. You can use the Cross-site Scripting Filter setting to check all HTTP GET requests sent to IBM® OpenPages® with Watson™.
Escaping is the primary means to avoid cross-site scripting attacks. When escaping, you are effectively telling the web browser that the data you are sending should be treated as data and should not be interpreted in any other way.
Cross-Site Scripting (XSS): Filter Evasion and Sideloading I'll show you some techniques hackers use to get past common remediation efforts. First is filter evasion, which uses different types of tags to insert malicious code when filters are in place to prevent scripts from running.
If you are using a web framework and a template engine like Jinja2 there is a chance that the template engine or the framework has something built in just for that.
There is something in the cgi module that can help you:
cgi.escape('malicious code here'), see: http://docs.python.org/library/cgi.html#cgi.escape
Also Jinja2 provides escaping:
from jinja2 import utils
str(utils.escape('malicious code here'))
You can easily code XSS-defense in Python, see for example http://code.activestate.com/recipes/496942/ for an instructive and usable piece of code.
39
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
