On Jun 22, 2010, at 5:14 PM, Craig Younkins wrote:
I suggest rewording the documentation for the method making it more
clear what it should and should not be used for. I would like to see
the method changed to properly escape single-quotes, but if it is
not changed, the documentation shoul
http://bugs.python.org/issue9061
On Tue, Jun 22, 2010 at 5:29 PM, Bill Janssen wrote:
> Craig Younkins wrote:
>
> > cgi.escape never escapes single quote characters, which can easily lead
> to a
> > Cross-Site Scripting (XSS) vulnerability. This seems to be known by many,
> > but a quick search
Craig Younkins wrote:
> cgi.escape never escapes single quote characters, which can easily lead to a
> Cross-Site Scripting (XSS) vulnerability. This seems to be known by many,
> but a quick search reveals many are using cgi.escape for HTML attribute
> escaping.
Did you file a bug report?
Bill
Hello,
The method in question: http://docs.python.org/library/cgi.html#cgi.escape
http://svn.python.org/view/python/tags/r265/Lib/cgi.py?view=markup # at
the bottom
"Convert the characters '&', '<' and '>' in string s to HTML-safe sequences.
Use this if you need to display text that might conta
