felipebluecaribu / recaptcha

Automatically exported from code.google.com/p/recaptcha
0 stars 0 forks source link

captcha.py: generate NOT WALID html-code (may be not secure for XSS-attack ) #69

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
in file trunk/recaptcha-plugins/python/recaptcha/client/captcha.py:

function displayhtml(...) -- generate NOT WALID html-code

(browsers automatically-fix this not corrected html-code. but html error IS
PRESENT (see html-validators) . not corrected generation html -- may be
potentially cause to XSS-attack)

for generate a VALID HTML -- MUST be to use python-functions:
 1. urllib.urlencode (
http://docs.python.org/library/urllib.html#urllib.urlencode )
 2. xml.sax.saxutils.escape (
http://docs.python.org/library/xml.sax.utils.html#xml.sax.saxutils.escape )

FOR EXAMPLE:

instead of following items incorrect piece of code:

[code]    return """<script type="text/javascript"
src="%(ApiServer)s/challenge?k=%(PublicKey)s%(ErrorParam)s"></script>

<noscript>
  <iframe src="%(ApiServer)s/noscript?k=%(PublicKey)s%(ErrorParam)s"
height="300" width="500" frameborder="0"></iframe><br />
  <textarea name="recaptcha_challenge_field" rows="3" cols="40"></textarea>
  <input type='hidden' name='recaptcha_response_field'
value='manual_challenge' />
</noscript>
""" % {
        'ApiServer' : server,
        'PublicKey' : public_key,
        'ErrorParam' : error_param,
        }
[/code]

may be to use:

[code]import xml.sax.saxutils
...

    params = {'k': public_key}
    if error:
        params['error'] = error

    return """<script type="text/javascript" src="%(script_src)s"></script>

<noscript>
  <iframe src="%(noscript_src)s" frameborder="0"></iframe><br />
  <textarea name="recaptcha_challenge_field" rows="3" cols="40"></textarea>
  <input type='hidden' name='recaptcha_response_field'
value='manual_challenge' />
</noscript>
""" % {
        'script_src': xml.sax.saxutils.escape(
            '%s/challenge?%s' % (
                server, 
                urllib.urlencode(params))),
        'noscript_src': xml.sax.saxutils.escape(
            '%s/noscript?%s' % (
                server, 
                urllib.urlencode(params)))}
[/code]

Original issue reported on code.google.com by polymor...@gmail.com on 11 May 2010 at 4:06

Attachments: