Giters

quandyfactory / dicttoxml

Simple library to convert a Python dictionary or other native data type into a valid XML string.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Library is susceptible to XML Injection

thomaskonrad opened this issue · comments

commented

Hi,

the library fails to XML-encode the dict input and is therefore susceptible to XML injection. See this example:

>>> from dicttoxml import dicttoxml
>>> dict = {'foo': 'bar', '" injected-attribute="value" <!--': 'bar'}
>>> print(dicttoxml(dict, attr_type=False))
b'<?xml version="1.0" encoding="UTF-8" ?><root><key name="" injected-attribute="value" <!--">bar</key><foo>bar</foo></root>'

So one can change the XML structure. Suppose the application using this library and the input comes (at least partially) from the user, then this may lead to severe security vulnerabilities. See also here.

Proposed solution: XML-encode all data that is placed into the XML document.

Cheers
Thomas

commented

Thanks for raising this issue. It is fixed in version 1.7.3,