| msg260600 - (view) |
Author: Dhiraj (Dhiraj_Mishra) * |
Date: 2016-02-21 09:45 |
The Pre-defined Module cgi.escape() can lead to XSS or HTMLi in every Version of Python. Example : import cgi test = "Vulnerable" cgi.escape(test) Works Properly all the Charters are escape properly but , Example 2: import cgi test2 = ' " ' cgi.escape(test2) Do not works Fine and the ' " ' Character is not escape properly and this may cause and XSS or HTMLi Please find the Attachments Below (PFA) The Python Security Expert says : " - The behavior of the cgi.escape() function is not a bug. It works exactly as documented in the Python documentation, https://docs.python.org/2/library/cgi.html#cgi.escape - By default the cgi.escape() function only escapes the three chars '<', '>' and '&'. The double quote char '"' is not quoted unless you cann cgi.escape() with quote=True. The default mode is suitable for escaping blocks of text that may contain HTML." He says that if the quote = True then its not Vulnerable. Example : cgi.escape('"รค"', quote=True) But Many Websites Developers and many popular Companies forget to implement the quote = True function and this may cause XSS and HTMLi According to me there should be a Predefine value in cgi.escape() which makes quote = True , then it will not be Vulnerable. I hope this will be patched soon and will be Updated. Thank You (PFA) Dhiraj Mishra Bug |
|
|
| msg260601 - (view) |
Author: Martin Panter (martin.panter) *  |
Date: 2016-02-21 10:09 |
| The Python 3 documentation <https://docs.python.org/3/library/cgi.html#cgi.escape> says this is deprecated in favour of html.escape(), which by default has quote=True. AFAIK there is no equivalent in Python 2. See Issue 2830 for the addition of html.escape(), and also Issue 9061 about cgi.escape() introducing vulnerabilities. |
|
|
| msg260610 - (view) |
Author: Dhiraj (Dhiraj_Mishra) * |
Date: 2016-02-21 12:31 |
| Hello @martin.panter okay But still the module cgi.escape() Vulnerable if the Python Docs have created a new html.escape so you might remove the cgi.escape() or Implement the quote = True in cgi.escape() Predefine as its in html.escape because Developer mostly use CGI. Its an Humble request , I hope I did well. Thank You martin.panter |
|
|
| msg260643 - (view) |
Author: Georg Brandl (georg.brandl) * |
Date: 2016-02-21 21:56 |
| I don't think there is anything to be done here. cgi.escape() is documented properly, deprecated in Python 3.x, and changing its implementation is not really an option now. |
|
|
| msg260654 - (view) |
Author: Dhiraj (Dhiraj_Mishra) * |
Date: 2016-02-22 03:06 |
| Hello @Georg Brandl PFA you'll be happy to find that python3.x is still vulnerable to cgi.escape() the module is not able to escape some values and can lead to XSS also. As @Martin Panter said now cgi.escape() is been replaced to html.escape() so accordingly cgi.escape() should have a Pr-define value " quote = True " which is not there in any Version of Python3.x or the module should be removed because we have html.escape() , Because many People still use's CGI in Web-Application. Thank You |
|
|
| msg260729 - (view) |
Author: Dhiraj (Dhiraj_Mishra) * |
Date: 2016-02-23 13:06 |
| Even the IDLE of Python is Vulnerable to CGI.ESCAPE() Please have a look on attachments , I hope this would be Patch Soon. Thank You |
|
|
| msg260740 - (view) |
Author: Gregory P. Smith (gregory.p.smith) * |
Date: 2016-02-23 17:41 |
| As pointed out, this is working as intended and is documented as such. That it isn't what you want is why Python 3 has html.escape() instead. |
|
|
