user2667066
Reputation: 2109
Web2py: is it dangerous to display request.args[0]
From a web2py controller, I'm returning something like:
raise HTTP(404,"Sorry, could not find {}".format(request.args[0]))
But is that dangerous? What if someone calls the page with a malicious args string? Could they inject html into my return page and construct a page on my server that contains their html content? What if they inject a huge amount of data into args[0] - will it DoS my server?
Upvotes: 0
Views: 97
Answers (1)
Anthony
Reputation: 25536
To be safe, just do:
raise HTTP(404, xmlescape("Sorry, could not find {}".format(request.args[0])))
xmlescape() will escape the text, so there will be no HTML/JS for the browser to display.
Upvotes: 1
Related Questions
- Web2Py on AWS EC2 Linux
- Grab array from div text to plot with ChartJS
- Pass dict to controller
- angularJS & web2py: calling python from ng/javascript/html
- Web2Py - Custom File Upload Form with Crud
- web2py site doesn't load all images/videos (especially larger ones)
- web2py SQLFORM accepting too fast
- web2py custom 404 page when I raise the 404 myself?
- web2py request.args(0) permissions