[docs] [issue26398] cgi.escape() Can Lead To XSS and HTML Vulnerabilities

Dhiraj report at bugs.python.org
Sun Feb 21 22:06:39 EST 2016

Dhiraj added the comment:

Hello @Georg Brandl PFA you'll be happy to find that python3.x is still vulnerable to cgi.escape() the module is not able to escape some values and can lead to XSS also.
As @Martin Panter said now cgi.escape() is been replaced to html.escape()
so accordingly cgi.escape() should have a Pr-define value " quote = True "
which is not there in any Version of Python3.x or the module should be removed because we have html.escape() , Because many People still use's CGI in Web-Application.

Thank You

Added file: http://bugs.python.org/file41996/cgi.escape_Dhiraj_Mishra.png

Python tracker <report at bugs.python.org>

More information about the docs mailing list