Title: cgi.escape() Can Lead To XSS and HTML Vulnerabilities
Type: security Stage:
Components: Documentation Versions: Python 3.6, Python 3.4, Python 3.5, Python 2.7
Status: closed Resolution: fixed
Dependencies: Superseder: cgi.escape Can Lead To XSS Vulnerabilities
View: 9061
Assigned To: docs@python Nosy List: Dhiraj_Mishra, christian.heimes, docs@python, dstufft, georg.brandl, gregory.p.smith, martin.panter
Priority: normal Keywords:

Created on 2016-02-21 09:45 by Dhiraj_Mishra, last changed 2016-02-23 17:45 by Dhiraj_Mishra. This issue is now closed.

File name Uploaded Description Edit
CGI.ESCAPE_2.png Dhiraj_Mishra, 2016-02-21 09:45 File is Demonstrating the Bug of cgi.escape() please have a look.
cgi.escape_Dhiraj_Mishra.png Dhiraj_Mishra, 2016-02-22 03:06
Python-IDLE-CGI-Vulnerable.png Dhiraj_Mishra, 2016-02-23 13:06
Messages (7)
msg260600 - (view) Author: Dhiraj (Dhiraj_Mishra) * Date: 2016-02-21 09:45
The Pre-defined Module cgi.escape() can lead to XSS or HTMLi
in every Version of Python.

Example :

import cgi
test = "<h1>Vulnerable</h1>"

Works Properly all the Charters are escape properly but ,

Example 2:

import cgi 
test2 = ' " '

Do not works Fine and the ' " ' Character is not escape properly and this may cause and XSS or HTMLi
Please find the Attachments Below (PFA)

The Python Security Expert says :

" - The behavior of the cgi.escape() function is not a bug. It works
exactly as documented in the Python documentation,

- By default the cgi.escape() function only escapes the three chars '<',
'>' and '&'. The double quote char '"' is not quoted unless you cann
cgi.escape() with quote=True. The default mode is suitable for
escaping blocks of text that may contain HTML."

He says that if the quote = True then its not Vulnerable.
Example :

cgi.escape('<h1>"&auml;"</h1>', quote=True)

But Many Websites Developers and many popular Companies forget to implement the
quote = True function and this may cause XSS and HTMLi
According to me there should be a Predefine value in cgi.escape() which makes 
quote = True ,  then it will not be Vulnerable.

I hope this will be patched soon and will be Updated.
Thank You (PFA)
Dhiraj Mishra
msg260601 - (view) Author: Martin Panter (martin.panter) * (Python committer) Date: 2016-02-21 10:09
The Python 3 documentation <> says this is deprecated in favour of html.escape(), which by default has quote=True. AFAIK there is no equivalent in Python 2. See Issue 2830 for the addition of html.escape(), and also Issue 9061 about cgi.escape() introducing vulnerabilities.
msg260610 - (view) Author: Dhiraj (Dhiraj_Mishra) * Date: 2016-02-21 12:31
Hello @martin.panter okay But still the module cgi.escape() Vulnerable  if the Python Docs have created a new html.escape so you might remove the cgi.escape() or Implement the quote = True in cgi.escape()  Predefine as its in html.escape because Developer mostly use CGI. 
Its an Humble request , I hope I did well.

Thank You martin.panter
msg260643 - (view) Author: Georg Brandl (georg.brandl) * (Python committer) Date: 2016-02-21 21:56
I don't think there is anything to be done here. cgi.escape() is documented properly, deprecated in Python 3.x, and changing its implementation is not really an option now.
msg260654 - (view) Author: Dhiraj (Dhiraj_Mishra) * Date: 2016-02-22 03:06
Hello @Georg Brandl PFA you'll be happy to find that python3.x is still vulnerable to cgi.escape() the module is not able to escape some values and can lead to XSS also.
As @Martin Panter said now cgi.escape() is been replaced to html.escape()
so accordingly cgi.escape() should have a Pr-define value " quote = True "
which is not there in any Version of Python3.x or the module should be removed because we have html.escape() , Because many People still use's CGI in Web-Application.

Thank You
msg260729 - (view) Author: Dhiraj (Dhiraj_Mishra) * Date: 2016-02-23 13:06
Even the IDLE of Python is Vulnerable to CGI.ESCAPE() Please have a look on attachments , I hope this would be Patch Soon.

Thank You
msg260740 - (view) Author: Gregory P. Smith (gregory.p.smith) * (Python committer) Date: 2016-02-23 17:41
As pointed out, this is working as intended and is documented as such.  That it isn't what you want is why Python 3 has html.escape() instead.
Date User Action Args
2016-02-23 17:45:03Dhiraj_Mishrasetresolution: duplicate -> fixed
2016-02-23 17:41:45gregory.p.smithsetstatus: open -> closed
versions: + Python 2.7, Python 3.4, Python 3.5
superseder: cgi.escape Can Lead To XSS Vulnerabilities
messages: + msg260740

resolution: duplicate
2016-02-23 13:06:53Dhiraj_Mishrasetfiles: + Python-IDLE-CGI-Vulnerable.png

nosy: + gregory.p.smith, dstufft
messages: + msg260729

type: security
2016-02-22 03:06:39Dhiraj_Mishrasetfiles: + cgi.escape_Dhiraj_Mishra.png

messages: + msg260654
2016-02-21 21:56:51georg.brandlsetnosy: + georg.brandl
messages: + msg260643
2016-02-21 17:29:42christian.heimessetnosy: + christian.heimes
2016-02-21 12:31:25Dhiraj_Mishrasetmessages: + msg260610
2016-02-21 10:09:30martin.pantersetnosy: + martin.panter

messages: + msg260601
title: cgi.escape() Can Lead To XSS and HTMLi Vulnerabilities -> cgi.escape() Can Lead To XSS and HTML Vulnerabilities
2016-02-21 09:45:59Dhiraj_Mishracreate