Library is susceptible to XML Injection
thomaskonrad opened this issue · 1 comments
thomaskonrad commented
Hi,
the library fails to XML-encode the dict input and is therefore susceptible to XML injection. See this example:
>>> from dicttoxml import dicttoxml
>>> dict = {'foo': 'bar', '" injected-attribute="value" <!--': 'bar'}
>>> print(dicttoxml(dict, attr_type=False))
b'<?xml version="1.0" encoding="UTF-8" ?><root><key name="" injected-attribute="value" <!--">bar</key><foo>bar</foo></root>'
So one can change the XML structure. Suppose the application using this library and the input comes (at least partially) from the user, then this may lead to severe security vulnerabilities. See also here.
Proposed solution: XML-encode all data that is placed into the XML document.
Cheers
Thomas
quandyfactory commented
Thanks for raising this issue. It is fixed in version 1.7.3,