Browse Source

Expanded the security docs to mention unquoted attributes as dangerous

pull/112/head
Armin Ronacher 15 years ago
parent
commit
559d2810d7
  1. 25
      docs/security.rst

25
docs/security.rst

@ -30,6 +30,31 @@ careful:
content-type guessing based on the first few bytes so users could content-type guessing based on the first few bytes so users could
trick a browser to execute HTML. trick a browser to execute HTML.
Another thing that is very important are unquoted attributes. While
Jinja2 can protect you from XSS issues by escaping HTML, there is one
thing it cannot protect you from: XSS by attribute injection. To counter
this possible attack vector, be sure to always quote your attributes with
either double or single quotes when using Jinja expressions in them:
.. sourcecode:: html+jinja
<a href="{{ href }}">the text</a>
Why is this necessary? Because if you would not be doing that, an
attacker could easily inject custom JavaScript handlers. For example an
attacker could inject this piece of HTML+JavaScript:
.. sourcecode:: html
onmouseover=alert(document.cookie)
When the user would then move with the mouse over the link, the cookie
would be presented to the user in an alert window. But instead of showing
the cookie to the user, a good attacker might also execute any other
JavaScript code. In combination with CSS injections the attacker might
even make the element fill out the entire page so that the user would
just have to have the mouse anywhere on the page to trigger the attack.
Cross-Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF)
--------------------------------- ---------------------------------

Loading…
Cancel
Save