[issue26398] cgi.escape() Can Lead To XSS and HTML Vulnerabilities

Changes by Dhiraj : -- resolution: duplicate -> fixed ___ Python tracker ___ ___

[issue26398] cgi.escape() Can Lead To XSS and HTML Vulnerabilities

Gregory P. Smith added the comment: As pointed out, this is working as intended and is documented as such. That it isn't what you want is why Python 3 has html.escape() instead. -- resolution: -> duplicate status: open -> closed superseder: -> cgi.escape Can Lead To XSS

[issue26398] cgi.escape() Can Lead To XSS and HTML Vulnerabilities

Dhiraj added the comment: Even the IDLE of Python is Vulnerable to CGI.ESCAPE() Please have a look on attachments , I hope this would be Patch Soon. Thank You -- nosy: +dstufft, gregory.p.smith type: -> security Added file:

[issue26398] cgi.escape() Can Lead To XSS and HTML Vulnerabilities

Dhiraj added the comment: Hello @Georg Brandl PFA you'll be happy to find that python3.x is still vulnerable to cgi.escape() the module is not able to escape some values and can lead to XSS also. As @Martin Panter said now cgi.escape() is been replaced to html.escape() so accordingly

[issue26398] cgi.escape() Can Lead To XSS and HTML Vulnerabilities

Changes by Christian Heimes : -- nosy: +christian.heimes ___ Python tracker ___ ___

[issue26398] cgi.escape() Can Lead To XSS and HTML Vulnerabilities

Dhiraj added the comment: Hello @martin.panter okay But still the module cgi.escape() Vulnerable if the Python Docs have created a new html.escape so you might remove the cgi.escape() or Implement the quote = True in cgi.escape() Predefine as its in html.escape because Developer mostly use

[issue26398] cgi.escape() Can Lead To XSS and HTML Vulnerabilities

Martin Panter added the comment: The Python 3 documentation says this is deprecated in favour of html.escape(), which by default has quote=True. AFAIK there is no equivalent in Python 2. See Issue 2830 for the addition of html.escape(),