R David Murray added the comment:
This should be reported to Roundup upstream. The fix should be simple (just
changing the csv dialect), so it doesn't really matter who develops the patch
as long as both upstream and we apply it :)
--
nosy: +r.david.murray
status: unread -> chatting
New submission from Maciej Szulik:
Copied from http://bugs.python.org/issue26399:
The "Download as CSV " feature of bugs.python.org does not properly "escape"
fields. This allows an adversary to turn a field into active content so when we
download the csv and opens it, the active content gets
