Senthil Kumaran <orsent...@gmail.com> added the comment: On Wed, Jun 23, 2010 at 03:46:35PM +0000, Craig Younkins wrote: > cgi.escape never escapes single quote characters, which can easily > lead to a Cross-Site Scripting (XSS) vulnerability. This seems to be > known by many, but a quick search reveals many are using cgi.escape > for HTML attribute escaping.
cgi.escape is for HTML attribute escaping only. I guess, you should explain or point out to resources where 'single quotes' representation in a non-entity format in a HTML page has lead to XSS. > The intended use of this method is unclear to me. Escape HTML characters (most commonly), >,<, & and ". And mostly when constructing responses where these characters are literally required. > While the documentation says "if the value to be quoted might > include single- or double-quote characters... [use the] > xml.sax.saxutils module instead," it also implies that this method > will make input safe for HTML. Because this method escapes 4 of the "More suitable" for HTML would be the correct interpretation rather make the "input safe". You might check the reference documentation leading to xml.sax.saxutils. > I suggest rewording the documentation for the method making it more > clear what it should and should not be used for. The very next paragraph seems to address the security considerations while using the cgi module itself, rather than limiting it to cgi.escape. It says that: "To be on the safe side, if you must pass a string gotten from a form to a shell command, you should make sure the string contains only alphanumeric characters, dashes, underscores, and periods." With respect your bug report: 1. Any doc change suggestions you propose? (After pointing out the resources requested in first para) 2. If cgi.escape needs to escape single quotes, what should it be as: lsquo/rsquo (for XHTML) and ' or ' for Others? ---------- nosy: +orsenthil _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue9061> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: http://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
