[issue38243] A reflected XSS in python/Lib/DocXMLRPCServer.py
STINNER Victor
report at bugs.python.org
Wed Sep 25 07:01:41 EDT 2019
STINNER Victor <vstinner at python.org> added the comment:
> I've proposed the patch on GitHub which escaping the server_title when the documenter.page is called. (It different point with msg353132.
The attached poc.py seems to show that server name and server documentation are not escaped neither.
server.set_server_name('test<script>')
server.set_server_documentation('test<script>')
Well, please write a test to check that ;-)
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue38243>
_______________________________________
More information about the Python-bugs-list
mailing list