http://bugs.python.org/issue9061
On Tue, Jun 22, 2010 at 5:29 PM, Bill Janssen wrote:
> Craig Younkins wrote:
>
> > cgi.escape never escapes single quote characters, which can easily lead
> to a
> > Cross-Site Scripting (XSS) vulnerability. This seems to be known by
uotes, but if it is not changed, the
documentation should explicitly say this method does not make input safe for
inclusion in HTML.
Shameless plug: http://www.PythonSecurity.org/<http://www.pythonsecurity.org/>
Craig Younkins
___
Python-Dev mailing li
