Message260600
The Pre-defined Module cgi.escape() can lead to XSS or HTMLi
in every Version of Python.
Example :
import cgi
test = "<h1>Vulnerable</h1>"
cgi.escape(test)
Works Properly all the Charters are escape properly but ,
Example 2:
import cgi
test2 = ' " '
cgi.escape(test2)
Do not works Fine and the ' " ' Character is not escape properly and this may cause and XSS or HTMLi
Please find the Attachments Below (PFA)
The Python Security Expert says :
" - The behavior of the cgi.escape() function is not a bug. It works
exactly as documented in the Python documentation,
https://docs.python.org/2/library/cgi.html#cgi.escape
- By default the cgi.escape() function only escapes the three chars '<',
'>' and '&'. The double quote char '"' is not quoted unless you cann
cgi.escape() with quote=True. The default mode is suitable for
escaping blocks of text that may contain HTML."
He says that if the quote = True then its not Vulnerable.
Example :
cgi.escape('<h1>"ä"</h1>', quote=True)
But Many Websites Developers and many popular Companies forget to implement the
quote = True function and this may cause XSS and HTMLi
According to me there should be a Predefine value in cgi.escape() which makes
quote = True , then it will not be Vulnerable.
I hope this will be patched soon and will be Updated.
Thank You (PFA)
Dhiraj Mishra
Bug |
|
Date |
User |
Action |
Args |
2016-02-21 09:45:59 | Dhiraj_Mishra | set | recipients:
+ Dhiraj_Mishra, docs@python |
2016-02-21 09:45:59 | Dhiraj_Mishra | set | messageid: <1456047959.51.0.622191858918.issue26398@psf.upfronthosting.co.za> |
2016-02-21 09:45:59 | Dhiraj_Mishra | link | issue26398 messages |
2016-02-21 09:45:58 | Dhiraj_Mishra | create | |
|