Karthikeyan Singaravelan <tir.kar...@gmail.com> added the comment:
Thanks Serhiy for the input. I initially thought this should be escaped since content was escaped and the same for header since user input taken directly could result in XSS. Maybe someone might using this undocumented feature intentionally that might not be worth breaking. I will make a PR for this to be noted in docs that the parameters are interpreted as HTML. ---------- _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue35603> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
