[issue26585] Use html.escape to replace _quote_html in http.server
Xiang Zhang
report at bugs.python.org
Fri Mar 18 03:37:20 EDT 2016
Xiang Zhang added the comment:
At first I also want to use html.escape(..., quote=False) since the spec only asks to escape quote signs in attribute. But after some search on Google, there are articles recommends escaping quote in content too: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
----------
_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue26585>
_______________________________________
More information about the Python-bugs-list
mailing list