[Python-Dev] Use of cgi.escape can lead to XSS vulnerabilities
James Y Knight
foom at fuhm.net
Thu Jun 24 02:26:25 CEST 2010
On Jun 22, 2010, at 5:14 PM, Craig Younkins wrote:
> I suggest rewording the documentation for the method making it more
> clear what it should and should not be used for. I would like to see
> the method changed to properly escape single-quotes, but if it is
> not changed, the documentation should explicitly say this method
> does not make input safe for inclusion in HTML.
Well, it *does* make the input safe for inclusion in HTML...in a
double-quoted attribute.
The docs could make it clearer that you should always use double-
quotes around your attribute values when using it, though, I agree.
More information about the Python-Dev
mailing list