Message 260600 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Dhiraj_Mishra
Recipients	Dhiraj_Mishra, docs@python
Date	2016-02-21.09:45:58
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1456047959.51.0.622191858918.issue26398@psf.upfronthosting.co.za>
In-reply-to

Content
The Pre-defined Module cgi.escape() can lead to XSS or HTMLi in every Version of Python. Example : import cgi test = "<h1>Vulnerable</h1>" cgi.escape(test) Works Properly all the Charters are escape properly but , Example 2: import cgi test2 = ' " ' cgi.escape(test2) Do not works Fine and the ' " ' Character is not escape properly and this may cause and XSS or HTMLi Please find the Attachments Below (PFA) The Python Security Expert says : " - The behavior of the cgi.escape() function is not a bug. It works exactly as documented in the Python documentation, https://docs.python.org/2/library/cgi.html#cgi.escape - By default the cgi.escape() function only escapes the three chars '<', '>' and '&'. The double quote char '"' is not quoted unless you cann cgi.escape() with quote=True. The default mode is suitable for escaping blocks of text that may contain HTML." He says that if the quote = True then its not Vulnerable. Example : cgi.escape('<h1>"ä"</h1>', quote=True) But Many Websites Developers and many popular Companies forget to implement the quote = True function and this may cause XSS and HTMLi According to me there should be a Predefine value in cgi.escape() which makes quote = True , then it will not be Vulnerable. I hope this will be patched soon and will be Updated. Thank You (PFA) Dhiraj Mishra Bug

The Pre-defined Module cgi.escape() can lead to XSS or HTMLi
in every Version of Python.

Example :

import cgi
test = "<h1>Vulnerable</h1>"
cgi.escape(test)

Works Properly all the Charters are escape properly but ,

Example 2:

import cgi 
test2 = ' " '
cgi.escape(test2) 

Do not works Fine and the ' " ' Character is not escape properly and this may cause and XSS or HTMLi
Please find the Attachments Below (PFA)

The Python Security Expert says :

" - The behavior of the cgi.escape() function is not a bug. It works
exactly as documented in the Python documentation,
https://docs.python.org/2/library/cgi.html#cgi.escape

- By default the cgi.escape() function only escapes the three chars '<',
'>' and '&'. The double quote char '"' is not quoted unless you cann
cgi.escape() with quote=True. The default mode is suitable for
escaping blocks of text that may contain HTML."

He says that if the quote = True then its not Vulnerable.
Example :

cgi.escape('<h1>"&auml;"</h1>', quote=True)

But Many Websites Developers and many popular Companies forget to implement the
quote = True function and this may cause XSS and HTMLi
According to me there should be a Predefine value in cgi.escape() which makes 
quote = True ,  then it will not be Vulnerable.

I hope this will be patched soon and will be Updated.
Thank You (PFA)
Dhiraj Mishra
Bug

History
Date	User	Action	Args
2016-02-21 09:45:59	Dhiraj_Mishra	set	recipients: + Dhiraj_Mishra, docs@python
2016-02-21 09:45:59	Dhiraj_Mishra	set	messageid: <1456047959.51.0.622191858918.issue26398@psf.upfronthosting.co.za>
2016-02-21 09:45:59	Dhiraj_Mishra	link	issue26398 messages
2016-02-21 09:45:58	Dhiraj_Mishra	create