python/cgi/html bug

Hi.

I've written a cgi messageboard script in python, for an irc chan I happen to frequent.

Bear with me, it's hard for me to describe what the bug is. So I've
divided this post into two sections: HOW MY SCRIPTS WORKS, and WHAT THE BUG IS.
...
The problem is when someone posts a new topic, and that topic happens to have "" double quotes, or any other strange character, some strange
glitches occur.

Dfenestr8 wrote:

Hi.

I've written a cgi messageboard script in python, for an irc chan I

happen

to frequent.

Bear with me, it's hard for me to describe what the bug is. So I've
divided this post into two sections: HOW MY SCRIPTS WORKS, and WHAT

THE

BUG IS.
...
The problem is when someone posts a new topic, and that topic happens

to

have "" double quotes, or any other strange character, some strange
glitches occur.

Use cgi.escape(topic, True) to convert HTML special characters to the
equivalent ampersand escape sequences.

Hi.

I've written a cgi messageboard script in python, for an irc chan I happen to frequent.

This looks very good.
I've been looking for a python messageboard CGI for a long time.

If you wanted to add user accounts/login/admin etc. you could use
'Login Tools'. This is a python module built especially to do that. It
also provides a convenient way of saving user preferences etc.

http://www.voidspace.org.uk/python/logintools.html

If you want any help using it then feel free to ask.

Regards,

Fuzzy
http://www.voidspace.org.uk/python/index.shtml
Bear with me, it's hard for me to describe what the bug is. So I've
divided this post into two sections: HOW MY SCRIPTS WORKS, and WHAT THE BUG IS.

HOW MY SCRIPT WORKS

Basically, it's divided into two executable scripts......

One is the thread viewer, ppthread.py, which views threads. When someone posts a new topic, for instance called "Generic new topic", it creates a file called "Generic new topic.thread". It stores the post, and any
subsequent posts under in the thread in that file. Nice and simple I
figured.

The other executable script is the topic viewer, pptopic.py. All that does is display the topics, by doing a "tops = os.popen('ls -c *.thread')" The "ls -c" part reads the threads in the order in which they've been
modified, so the first item in the list is always the thread most recently posted in.

It then creates an html link to each of the threads ... on the page the html looks like....

<a href = ppthread.py?subject=foo>foo</a><br>

WHAT THE BUG IS ....

The problem is when someone posts a new topic, and that topic happens to have "" double quotes, or any other strange character, some strange
glitches occur.

Best way to describe is to demonstrate it is go to the forum and try
it yourself. Try entering a topic with straight, ordindary characters, not that you can re enter the thread any time you want and make new posts
under it. Then try entering a thread with new or whacky characters and see how far you get.

http://funkmunch.net/~pirch/cgi-bin/...rum/pptopic.py

BTW, if you want to download the script, here it is in gzipped form
http://funkmunch.net/~pirch/pepperpot.tgz

This looks very good.
I've been looking for a python messageboard CGI for a long time.

Thanx!

No glaring security holes that you noticed? Other than being able to hide
things in html tags?
If you wanted to add user accounts/login/admin etc. you could use 'Login
Tools'. This is a python module built especially to do that. It also
provides a convenient way of saving user preferences etc.

http://www.voidspace.org.uk/python/logintools.html

If you want any help using it then feel free to ask.

Regards,

No glaring security holes that you noticed? Other than being able to hide
things in html tags?

Dfenestr8 <ch**************@yahoo.com.au> writes:

No glaring security holes that you noticed? Other than being able to
hide things in html tags?

Looks like you can also embed arbitrary javascript (I just tried it). I
haven't looked at the script itself yet.