[issue26398] cgi.escape() Can Lead To XSS and HTML Vulnerabilities
Dhiraj
report at bugs.python.org
Sun Feb 21 22:06:39 EST 2016
Dhiraj added the comment:
Hello @Georg Brandl PFA you'll be happy to find that python3.x is still vulnerable to cgi.escape() the module is not able to escape some values and can lead to XSS also.
As @Martin Panter said now cgi.escape() is been replaced to html.escape()
so accordingly cgi.escape() should have a Pr-define value " quote = True "
which is not there in any Version of Python3.x or the module should be removed because we have html.escape() , Because many People still use's CGI in Web-Application.
Thank You
----------
Added file: http://bugs.python.org/file41996/cgi.escape_Dhiraj_Mishra.png
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue26398>
_______________________________________
More information about the Python-bugs-list
mailing list