Open GoogleCodeExporter opened 9 years ago
in file trunk/recaptcha-plugins/python/recaptcha/client/captcha.py: function displayhtml(...) -- generate NOT WALID html-code (browsers automatically-fix this not corrected html-code. but html error IS PRESENT (see html-validators) . not corrected generation html -- may be potentially cause to XSS-attack) for generate a VALID HTML -- MUST be to use python-functions: 1. urllib.urlencode ( http://docs.python.org/library/urllib.html#urllib.urlencode ) 2. xml.sax.saxutils.escape ( http://docs.python.org/library/xml.sax.utils.html#xml.sax.saxutils.escape ) FOR EXAMPLE: instead of following items incorrect piece of code: [code] return """<script type="text/javascript" src="%(ApiServer)s/challenge?k=%(PublicKey)s%(ErrorParam)s"></script> <noscript> <iframe src="%(ApiServer)s/noscript?k=%(PublicKey)s%(ErrorParam)s" height="300" width="500" frameborder="0"></iframe><br /> <textarea name="recaptcha_challenge_field" rows="3" cols="40"></textarea> <input type='hidden' name='recaptcha_response_field' value='manual_challenge' /> </noscript> """ % { 'ApiServer' : server, 'PublicKey' : public_key, 'ErrorParam' : error_param, } [/code] may be to use: [code]import xml.sax.saxutils ... params = {'k': public_key} if error: params['error'] = error return """<script type="text/javascript" src="%(script_src)s"></script> <noscript> <iframe src="%(noscript_src)s" frameborder="0"></iframe><br /> <textarea name="recaptcha_challenge_field" rows="3" cols="40"></textarea> <input type='hidden' name='recaptcha_response_field' value='manual_challenge' /> </noscript> """ % { 'script_src': xml.sax.saxutils.escape( '%s/challenge?%s' % ( server, urllib.urlencode(params))), 'noscript_src': xml.sax.saxutils.escape( '%s/noscript?%s' % ( server, urllib.urlencode(params)))} [/code]
Original issue reported on code.google.com by polymor...@gmail.com on 11 May 2010 at 4:06
polymor...@gmail.com
Attachments:
Original issue reported on code.google.com by
polymor...@gmail.com
on 11 May 2010 at 4:06Attachments: