[issue9061] cgi.escape Can Lead To XSS Vulnerabilities

Changes by Benjamin Peterson : -- resolution: -> duplicate status: open -> closed superseder: -> Copy cgi.escape() to html ___ Python tracker ___ ___

[issue9061] cgi.escape Can Lead To XSS Vulnerabilities

Éric Araujo added the comment: Markup nit fixed in r83999 (py3k) and r84001 (stupid typo), r84002 (3.1), r84003 (2.7). -- ___ Python tracker ___

[issue9061] cgi.escape Can Lead To XSS Vulnerabilities

Fred L. Drake, Jr. added the comment: Such constructs are notoriously tedious to grep for; patches are welcome. -- nosy: +fdrake ___ Python tracker ___ __

[issue9061] cgi.escape Can Lead To XSS Vulnerabilities

Georg Brandl added the comment: No, that's just a relic from the olden LaTeX days, and I've not paid attention enough to fix it :) -- ___ Python tracker ___

[issue9061] cgi.escape Can Lead To XSS Vulnerabilities

Éric Araujo added the comment: Are 2.6 docs built by an older Sphinx version? I wonder why the text uses “the :func:`quoteattr` function in the :mod:`xml.sax.saxutils` module” and not “:func:`~xml.sax.saxutils.quoteattr” to get a direct link (or even just “consider using :func:`xml.sax.saxuti

[issue9061] cgi.escape Can Lead To XSS Vulnerabilities

Georg Brandl added the comment: Applied doc patch to 2.6 in r83539. -- nosy: +georg.brandl priority: release blocker -> critical versions: -Python 2.5, Python 2.6 ___ Python tracker ___

[issue9061] cgi.escape Can Lead To XSS Vulnerabilities

Barry A. Warsaw added the comment: Unless someone can upload a specific patch to review in the next couple of hours, I'm going to reduce the priority for 2.6.6rc1. -- nosy: +barry ___ Python tracker __

[issue9061] cgi.escape Can Lead To XSS Vulnerabilities

Changes by Georg Brandl : -- priority: normal -> release blocker ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe:

[issue9061] cgi.escape Can Lead To XSS Vulnerabilities

Craig Younkins added the comment: > cgi.escape is for HTML attribute escaping only. It is not safe for HTML attribute escaping because it does not encode single quotes. > "More suitable" for HTML would be the correct interpretation rather make the > "input safe". "More suitable, but not qui

[issue9061] cgi.escape Can Lead To XSS Vulnerabilities

Senthil Kumaran added the comment: On Wed, Jun 23, 2010 at 03:46:35PM +, Craig Younkins wrote: > cgi.escape never escapes single quote characters, which can easily > lead to a Cross-Site Scripting (XSS) vulnerability. This seems to be > known by many, but a quick search reveals many are usin

[issue9061] cgi.escape Can Lead To XSS Vulnerabilities

Craig Younkins added the comment: Proof of concept: print "" % cgi.escape("' onload='alert(1);' bad='") -- ___ Python tracker ___

[issue9061] cgi.escape Can Lead To XSS Vulnerabilities

Changes by Craig Younkins : -- type: -> security ___ Python tracker ___ ___ Python-bugs-list mailing list Unsubscribe: http://mail.py

[issue9061] cgi.escape Can Lead To XSS Vulnerabilities

New submission from Craig Younkins : The method in question: http://docs.python.org/library/cgi.html#cgi.escape http://svn.python.org/view/python/tags/r265/Lib/cgi.py?view=markup # at the bottom http://code.python.org/hg/trunk/file/3be6ff1eebac/Lib/cgi.py#l1031 "Convert the characters '&', '<