Message 260654 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Dhiraj_Mishra
Recipients	Dhiraj_Mishra, christian.heimes, docs@python, georg.brandl, martin.panter
Date	2016-02-22.03:06:38
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1456110399.46.0.324092653289.issue26398@psf.upfronthosting.co.za>
In-reply-to

Content
Hello @Georg Brandl PFA you'll be happy to find that python3.x is still vulnerable to cgi.escape() the module is not able to escape some values and can lead to XSS also. As @Martin Panter said now cgi.escape() is been replaced to html.escape() so accordingly cgi.escape() should have a Pr-define value " quote = True " which is not there in any Version of Python3.x or the module should be removed because we have html.escape() , Because many People still use's CGI in Web-Application. Thank You

Hello @Georg Brandl PFA you'll be happy to find that python3.x is still vulnerable to cgi.escape() the module is not able to escape some values and can lead to XSS also.
As @Martin Panter said now cgi.escape() is been replaced to html.escape()
so accordingly cgi.escape() should have a Pr-define value " quote = True "
which is not there in any Version of Python3.x or the module should be removed because we have html.escape() , Because many People still use's CGI in Web-Application.

Thank You

History
Date	User	Action	Args
2016-02-22 03:06:39	Dhiraj_Mishra	set	recipients: + Dhiraj_Mishra, georg.brandl, christian.heimes, docs@python, martin.panter
2016-02-22 03:06:39	Dhiraj_Mishra	set	messageid: <1456110399.46.0.324092653289.issue26398@psf.upfronthosting.co.za>
2016-02-22 03:06:39	Dhiraj_Mishra	link	issue26398 messages
2016-02-22 03:06:38	Dhiraj_Mishra	create