[docs] [issue26398] cgi.escape() Can Lead To XSS and HTML Vulnerabilities
report at bugs.python.org
Sun Feb 21 22:06:39 EST 2016
Dhiraj added the comment:
Hello @Georg Brandl PFA you'll be happy to find that python3.x is still vulnerable to cgi.escape() the module is not able to escape some values and can lead to XSS also.
As @Martin Panter said now cgi.escape() is been replaced to html.escape()
so accordingly cgi.escape() should have a Pr-define value " quote = True "
which is not there in any Version of Python3.x or the module should be removed because we have html.escape() , Because many People still use's CGI in Web-Application.
Added file: http://bugs.python.org/file41996/cgi.escape_Dhiraj_Mishra.png
Python tracker <report at bugs.python.org>
More information about the docs