[docs] [issue26398] cgi.escape() Can Lead To XSS and HTMLi Vulnerabilities
report at bugs.python.org
Sun Feb 21 04:45:59 EST 2016
New submission from Dhiraj:
The Pre-defined Module cgi.escape() can lead to XSS or HTMLi
in every Version of Python.
test = "<h1>Vulnerable</h1>"
Works Properly all the Charters are escape properly but ,
test2 = ' " '
Do not works Fine and the ' " ' Character is not escape properly and this may cause and XSS or HTMLi
Please find the Attachments Below (PFA)
The Python Security Expert says :
" - The behavior of the cgi.escape() function is not a bug. It works
exactly as documented in the Python documentation,
- By default the cgi.escape() function only escapes the three chars '<',
'>' and '&'. The double quote char '"' is not quoted unless you cann
cgi.escape() with quote=True. The default mode is suitable for
escaping blocks of text that may contain HTML."
He says that if the quote = True then its not Vulnerable.
But Many Websites Developers and many popular Companies forget to implement the
quote = True function and this may cause XSS and HTMLi
According to me there should be a Predefine value in cgi.escape() which makes
quote = True , then it will not be Vulnerable.
I hope this will be patched soon and will be Updated.
Thank You (PFA)
assignee: docs at python
nosy: DhirajMishra, docs at python
title: cgi.escape() Can Lead To XSS and HTMLi Vulnerabilities
versions: Python 3.6
Added file: http://bugs.python.org/file41982/CGI.ESCAPE_2.png
Python tracker <report at bugs.python.org>
More information about the docs