Over at MarkupSafe, there’s an open ticket about escaping the invisible ASCII backspace and delete characters in addition to the normal HTML syntax characters.
The reasoning is that these characters render as invisible in HTML, but when copied into a terminal, they actually affect the input and can change the meaning of a command. It’s not XSS, but it feels like it’s in the same space.
import y\bose\bm\bi\bt\be\b renders as
import yosemite in HTML but executes
import os in the Python console.
I’m undecided on whether to implement this. On the one hand, it is an issue, and the
escape function seems like the best place to address it. Introducing a separate function or a flag to control it seems ineffective, as users would need to know to use it, and most don’t even know they’re using MarkupSafe to begin with.
On the other hand, this introduces a non-reversible behavior to
escape. Right now, it’s true that
unescape(escape(value)) == value. But if backspace is escaped to
\\b, there’s no way for unescape to know whether that’s due to escaping or if it was already escaped in the original and shouldn’t change. And it’s not clear that you’d even want to unescape those characters, as there doesn’t seem like an obvious legitimate use for them in this context.
Also, some browsers and terminals are getting smart and warning about these characters on copy and paste, no changes required.
I figured the Django devs might have some interesting input on this discussion, since Django also provides escaping and might want to implement this if we do.