[New-bugs-announce] [issue26398] cgi.escape() Can Lead To XSS and HTMLi Vulnerabilities

Dhiraj report at bugs.python.org
Sun Feb 21 04:45:59 EST 2016

New submission from Dhiraj:

The Pre-defined Module cgi.escape() can lead to XSS or HTMLi
in every Version of Python.

Example :

import cgi
test = "<h1>Vulnerable</h1>"

Works Properly all the Charters are escape properly but ,

Example 2:

import cgi 
test2 = ' " '

Do not works Fine and the ' " ' Character is not escape properly and this may cause and XSS or HTMLi
Please find the Attachments Below (PFA)

The Python Security Expert says :

" - The behavior of the cgi.escape() function is not a bug. It works
exactly as documented in the Python documentation,

- By default the cgi.escape() function only escapes the three chars '<',
'>' and '&'. The double quote char '"' is not quoted unless you cann
cgi.escape() with quote=True. The default mode is suitable for
escaping blocks of text that may contain HTML."

He says that if the quote = True then its not Vulnerable.
Example :

cgi.escape('<h1>"ä"</h1>', quote=True)

But Many Websites Developers and many popular Companies forget to implement the
quote = True function and this may cause XSS and HTMLi
According to me there should be a Predefine value in cgi.escape() which makes 
quote = True ,  then it will not be Vulnerable.

I hope this will be patched soon and will be Updated.
Thank You (PFA)
Dhiraj Mishra

assignee: docs at python
components: Documentation
files: CGI.ESCAPE_2.png
messages: 260600
nosy: DhirajMishra, docs at python
priority: normal
severity: normal
status: open
title: cgi.escape() Can Lead To XSS and HTMLi Vulnerabilities
versions: Python 3.6
Added file: http://bugs.python.org/file41982/CGI.ESCAPE_2.png

Python tracker <report at bugs.python.org>

More information about the New-bugs-announce mailing list