[Python-checkins] r55348 - in python/trunk: Lib/cgitb.py Misc/NEWS
georg.brandl
python-checkins at python.org
Tue May 15 22:19:35 CEST 2007
Author: georg.brandl
Date: Tue May 15 22:19:34 2007
New Revision: 55348
Modified:
python/trunk/Lib/cgitb.py
python/trunk/Misc/NEWS
Log:
HTML-escape the plain traceback in cgitb's HTML output, to prevent
the traceback inadvertently or maliciously closing the comment and
injecting HTML into the error page.
Modified: python/trunk/Lib/cgitb.py
==============================================================================
--- python/trunk/Lib/cgitb.py (original)
+++ python/trunk/Lib/cgitb.py Tue May 15 22:19:34 2007
@@ -183,7 +183,8 @@
%s
-->
-''' % ''.join(traceback.format_exception(etype, evalue, etb))
+''' % pydoc.html.escape(
+ ''.join(traceback.format_exception(etype, evalue, etb)))
def text((etype, evalue, etb), context=5):
"""Return a plain text document describing a given traceback."""
Modified: python/trunk/Misc/NEWS
==============================================================================
--- python/trunk/Misc/NEWS (original)
+++ python/trunk/Misc/NEWS Tue May 15 22:19:34 2007
@@ -207,6 +207,10 @@
Library
-------
+- HTML-escape the plain traceback in cgitb's HTML output, to prevent
+ the traceback inadvertently or maliciously closing the comment and
+ injecting HTML into the error page.
+
- The popen2 module and os.popen* are deprecated. Use the subprocess module.
- Added an optional credentials argument to SMTPHandler, for use with SMTP
More information about the Python-checkins
mailing list