New submission from Dhiraj: The Pre-defined Module cgi.escape() can lead to XSS or HTMLi in every Version of Python.
Example : import cgi test = "<h1>Vulnerable</h1>" cgi.escape(test) Works Properly all the Charters are escape properly but , Example 2: import cgi test2 = ' " ' cgi.escape(test2) Do not works Fine and the ' " ' Character is not escape properly and this may cause and XSS or HTMLi Please find the Attachments Below (PFA) The Python Security Expert says : " - The behavior of the cgi.escape() function is not a bug. It works exactly as documented in the Python documentation, https://docs.python.org/2/library/cgi.html#cgi.escape - By default the cgi.escape() function only escapes the three chars '<', '>' and '&'. The double quote char '"' is not quoted unless you cann cgi.escape() with quote=True. The default mode is suitable for escaping blocks of text that may contain HTML." He says that if the quote = True then its not Vulnerable. Example : cgi.escape('<h1>"ä"</h1>', quote=True) But Many Websites Developers and many popular Companies forget to implement the quote = True function and this may cause XSS and HTMLi According to me there should be a Predefine value in cgi.escape() which makes quote = True , then it will not be Vulnerable. I hope this will be patched soon and will be Updated. Thank You (PFA) Dhiraj Mishra Bug ---------- assignee: docs@python components: Documentation files: CGI.ESCAPE_2.png messages: 260600 nosy: DhirajMishra, docs@python priority: normal severity: normal status: open title: cgi.escape() Can Lead To XSS and HTMLi Vulnerabilities versions: Python 3.6 Added file: http://bugs.python.org/file41982/CGI.ESCAPE_2.png _______________________________________ Python tracker <rep...@bugs.python.org> <http://bugs.python.org/issue26398> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com