Closed mquartus closed 6 months ago
Hey, thanks for bringing this up. Internally validators.url()
uses Python's urllib.parse.parse_qs
function. The behavior of parse_qs
changed in Python 3.9.2. See for yourself:
Python 3.9.2 (default, Mar 21 2024, 06:39:21)
[GCC 13.2.1 20230801] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from urllib.parse import parse_qs
>>> parse_qs("q=search');alert(document.domain);", strict_parsing=True)
{'q': ["search');alert(document.domain);"]}
Python 3.9.1 (default, Mar 21 2024, 06:40:47)
[GCC 13.2.1 20230801] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from urllib.parse import parse_qs
>>> parse_qs("q=search');alert(document.domain);", strict_parsing=True)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/home/us-er/.local/share/mise/installs/python/3.9.1/lib/python3.9/urllib/parse.py", line 692, in parse_qs
pairs = parse_qsl(qs, keep_blank_values, strict_parsing,
File "/home/us-er/.local/share/mise/installs/python/3.9.1/lib/python3.9/urllib/parse.py", line 747, in parse_qsl
raise ValueError("bad query field: %r" % (name_value,))
raise ValueError("bad query field: %r" % (name_value,))
ValueError: bad query field: 'alert(document.domain)'
If you can tell me why, I may be able to resolve it.
Ah OK thanks. Leave it then to upstream if this gets their way and they will probably fix it.
Hello,
I am not sure if this is the desired behaviour so I just wanted to check with you. We have had an issue that came up where we wanted to fix a valid cross-site scripting vulnerability in our web application code where the following malicious code – including apostrophe (
'
) and a round bracket sign ()
)– was injected:https://example.org?q=search');alert(document.domain);
But when tried to use the
validators.url()
function it accepts the above as True :Apparently this should not happen. The desired behaviour of the
url()
routine is would be False in this case. Do I overlook something or is the above accepted? Let me know if I am missing something or you need further information. My version of validators is 0.23.2 on Python 3.9.6 .Thank you, Miklos