[docs] [issue26398] cgi.escape() Can Lead To XSS and HTML Vulnerabilities

Dhiraj report at bugs.python.org
Sun Feb 21 22:06:39 EST 2016


Dhiraj added the comment:

Hello @Georg Brandl PFA you'll be happy to find that python3.x is still vulnerable to cgi.escape() the module is not able to escape some values and can lead to XSS also.
As @Martin Panter said now cgi.escape() is been replaced to html.escape()
so accordingly cgi.escape() should have a Pr-define value " quote = True "
which is not there in any Version of Python3.x or the module should be removed because we have html.escape() , Because many People still use's CGI in Web-Application.

Thank You

----------
Added file: http://bugs.python.org/file41996/cgi.escape_Dhiraj_Mishra.png

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue26398>
_______________________________________


More information about the docs mailing list