Hello,<div><br></div>The method in question: <a href="http://docs.python.org/library/cgi.html#cgi.escape">http://docs.python.org/library/cgi.html#cgi.escape</a><div><a href="http://svn.python.org/view/python/tags/r265/Lib/cgi.py?view=markup">http://svn.python.org/view/python/tags/r265/Lib/cgi.py?view=markup</a> # at the bottom</div>
<div><br>"Convert the characters '&', '<' and '>' in string s to HTML-safe sequences. Use this if you need to display text that might contain such characters in HTML. If the optional flag quote is true, the quotation mark character ('"') is also translated; this helps for inclusion in an HTML attribute value, as in <A HREF="...">. If the value to be quoted might include single- or double-quote characters, or both, consider using the quoteattr() function in the xml.sax.saxutils module instead."<div>
<br></div><div>cgi.escape never escapes single quote characters, which can easily lead to a Cross-Site Scripting (XSS) vulnerability. This seems to be known by many, but a quick search reveals many are using cgi.escape for HTML attribute escaping.</div>
<div><br></div><div>The intended use of this method is unclear to me. Up to and including the latest published version of Mako (0.3.3), this method was the HTML escaping method. Used in this manner, single-quoted attributes with user-supplied data are easily susceptible to cross-site scripting vulnerabilities.</div>
<div><br></div><div>Proof of concept in Mako:</div><div><div style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><div>>>> from mako.template import Template</div></div><div style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">
<div>>>> print Template("<div class='${data}'>", default_filters=['h']).render(data="' onload='alert(1);' id='")</div></div><div style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">
<div class='' onload='alert(1);' id=''></div><div style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br></div><div style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">
I've emailed Michael Bayer, the creator of Mako, and this will be fixed in version 0.3.4.</div><div style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br></div><div style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">
While the documentation says "if the value to be quoted might include single- or double-quote characters... [use the] xml.sax.saxutils module instead," it also implies that this method will make input safe for HTML. Because this method escapes 4 of the 5 key XML characters, it is reasonable to expect some will use it in the manner Mako did.</div>
<div style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br></div><div style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">I suggest rewording the documentation for the method making it more clear what it should and should not be used for. I would like to see the method changed to properly escape single-quotes, but if it is not changed, the documentation should explicitly say this method does not make input safe for inclusion in HTML.</div>
<div style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br></div><div style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">Shameless plug: <span class="Apple-style-span" style="border-collapse: separate; font-family: arial; font-size: small; "><a href="http://www.pythonsecurity.org/">http://www.PythonSecurity.org/</a></span></div>
<div style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; "><br></div><div style="font-family: arial, sans-serif; font-size: 13px; border-collapse: collapse; ">Craig Younkins</div></div></div>