Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Library is susceptible to XML Injection #41

Closed
thomaskonrad opened this issue Jul 25, 2015 · 1 comment
Closed

Library is susceptible to XML Injection #41

thomaskonrad opened this issue Jul 25, 2015 · 1 comment

Comments

@thomaskonrad
Copy link

Hi,

the library fails to XML-encode the dict input and is therefore susceptible to XML injection. See this example:

>>> from dicttoxml import dicttoxml
>>> dict = {'foo': 'bar', '" injected-attribute="value" <!--': 'bar'}
>>> print(dicttoxml(dict, attr_type=False))
b'<?xml version="1.0" encoding="UTF-8" ?><root><key name="" injected-attribute="value" <!--">bar</key><foo>bar</foo></root>'

So one can change the XML structure. Suppose the application using this library and the input comes (at least partially) from the user, then this may lead to severe security vulnerabilities. See also here.

Proposed solution: XML-encode all data that is placed into the XML document.

Cheers
Thomas
@quandyfactory
Copy link
Owner

Thanks for raising this issue. It is fixed in version 1.7.3,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@quandyfactory @thomaskonrad