Python Sample Vulnerable Code for HTML Injection

1. #!/usr/bin/env python
2.  
3. from wsgiref.simple_server import make_server
4. from cgi import parse_qs, escape
5.  
6. html = """
7. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
8.     "http://www.w3.org/TR/html4/strict.dtd">
9. <html land="en">
10. <head> <title>Python Vulnerable Code</title> </head>
11. <body>
12.   <form method="get" action="parsing_get.wsgi">
13.      <p>
14.         Name: <input type="text" name="name">
15.         </p>
16.      <p>
17.         Hobbies:
18.         <input name="hobbies" type="checkbox" value="Vulnerability Research"> Vulnerability Research
19.         <input name="hobbies" type="checkbox" value="Web Application Research"> Web Application Research
20.         </p>
21.      <p>
22.         <input type="submit" value="Submit">
23.         </p>
24.      </form>
25.   <p>
26.      Name: %s<br>
27.      Hobbies: %s
28.      </p>
29.   </body>
30. </html>"""
31.  
32. def application(environ, start_response):
33.  
34.    # Returns a dictionary containing lists as values.
35.    d = parse_qs(environ['QUERY_STRING'])
36.  
37.    # In this idiom you must issue a list containing a default value.
38.    name = d.get('name', [''])[0] # Returns the first name value.
39.    hobbies = d.get('hobbies', []) # Returns a list of hobbies if applied.
40.    response_body = html % (name or 'Empty',
41.                ', '.join(hobbies or ['No Hobbies, you probably need one!']))
42.  
43.    status = '200 OK'
44.  
45.    # Now content type is text/html
46.    response_headers = [('Content-Type', 'text/html'),
47.                   ('Content-Length', str(len(response_body)))]
48.    start_response(status, response_headers)
49.  
50.    return [response_body]
51.  
52. httpd = make_server('localhost', 8051, application)
53. # Now it is serve_forever() in instead of handle_request().
54. # In Windows you can kill it in the Task Manager (python.exe).
55. # In Linux a Ctrl-C will do it.
56. httpd.serve_forever()