Is there low hanging fruit for the following observation? The documentation of the python cgi module is vulnerable to XSS (cross site scripting)
https://docs.python.org/3/library/cgi.html ``` form = cgi.FieldStorage() print("<p>name:", form["name"].value) print("<p>addr:", form["addr"].value) ``` First result on google for "tutorial python cgi" is https://www.tutorialspoint.com/python/python_cgi_programming.htm And it is almost the same as the python doc. I verified that setting ```name=<script>alert(document.domain)</script>``` will trigger dialog, demonstrating javascript is executed on the cgi host. I would expect that devs who read the docs or tutorials will write vulnerable cgis. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
