Craig Younkins added the comment:
> cgi.escape is for HTML attribute escaping only.
It is not safe for HTML attribute escaping because it does not encode single
quotes.
> "More suitable" for HTML would be the correct interpretation rather make the
> "input safe&qu
Craig Younkins added the comment:
Proof of concept:
print """""" % cgi.escape("' onload='alert(1);' bad='")
--
_
Changes by Craig Younkins :
--
type: -> security
___
Python tracker
<http://bugs.python.org/issue9061>
___
___
Python-bugs-list mailing list
Unsubscri
New submission from Craig Younkins :
The method in question: http://docs.python.org/library/cgi.html#cgi.escape
http://svn.python.org/view/python/tags/r265/Lib/cgi.py?view=markup # at the
bottom
http://code.python.org/hg/trunk/file/3be6ff1eebac/Lib/cgi.py#l1031
"Convert the chara
