uotes, but if it is not changed, the
documentation should explicitly say this method does not make input safe for
inclusion in HTML.
Shameless plug: http://www.PythonSecurity.org/<http://www.pythonsecurity.org/>
Craig Younkins
___
Python-Dev mailing li
http://bugs.python.org/issue9061
On Tue, Jun 22, 2010 at 5:29 PM, Bill Janssen wrote:
> Craig Younkins wrote:
>
> > cgi.escape never escapes single quote characters, which can easily lead
> to a
> > Cross-Site Scripting (XSS) vulnerability. This seems to be known by
