help: Problem with cgi form

Jon Ribbens jon+usenet at
Tue Feb 26 01:10:45 EST 2002

In article <3C7AD506.3000906 at>, Max M wrote:
>> Beware that, in general, that is a bug. You are open to Cross Site
>> Scripting attacks. Even in the absence of these, if the value happens
>> to contain characters significant to HTML (such as '"', '&', '>', etc)
>> then your program will go wrong.
> Yeah ok ... I thought that there was a limit to how much should be 
> explained in one post :-) But here goes:
> from cgi import escape
> '<INPUT TYPE=HIDDEN NAME= "last_pos" VALUE='%s'>' % escape(last_byte_pos)

That is also a bug ;-). cgi.escape does not escape single or double
quotes by default, and indeed never escapes single quotes.

> from xml.sax.saxutils import quoteattr
> '<INPUT TYPE=HIDDEN NAME= "last_pos" VALUE='%s'>' % quoteattr(last_byte_pos)

This is also a bug ;-). quoteattr outputs the quotes as well as the

The Python library functions do seem to be trying to make somewhat of
a mountain out of this trivial task. cgi.escape would work in all
situations and would not break backwards compatibility if it simply
always escaped single and double quotes.

More information about the Python-list mailing list