[Python-Dev] Use of cgi.escape can lead to XSS vulnerabilities

Craig Younkins cyounkins at gmail.com
Wed Jun 23 17:51:31 CEST 2010


http://bugs.python.org/issue9061

On Tue, Jun 22, 2010 at 5:29 PM, Bill Janssen <janssen at parc.com> wrote:

> Craig Younkins <cyounkins at gmail.com> wrote:
>
> > cgi.escape never escapes single quote characters, which can easily lead
> to a
> > Cross-Site Scripting (XSS) vulnerability. This seems to be known by many,
> > but a quick search reveals many are using cgi.escape for HTML attribute
> > escaping.
>
> Did you file a bug report?
>
> Bill
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20100623/b05c3ee0/attachment.html>


More information about the Python-Dev mailing list