Dhiraj added the comment: Hello @Georg Brandl PFA you'll be happy to find that python3.x is still vulnerable to cgi.escape() the module is not able to escape some values and can lead to XSS also. As @Martin Panter said now cgi.escape() is been replaced to html.escape() so accordingly cgi.escape() should have a Pr-define value " quote = True " which is not there in any Version of Python3.x or the module should be removed because we have html.escape() , Because many People still use's CGI in Web-Application.
Thank You ---------- Added file: http://bugs.python.org/file41996/cgi.escape_Dhiraj_Mishra.png _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26398> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
