[Python-Dev] Use of cgi.escape can lead to XSS vulnerabilities (original) (raw)
James Y Knight foom at fuhm.net
Thu Jun 24 02:26:25 CEST 2010
- Previous message: [Python-Dev] Use of cgi.escape can lead to XSS vulnerabilities
- Next message: [Python-Dev] WPython 1.1 was released
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Jun 22, 2010, at 5:14 PM, Craig Younkins wrote:
I suggest rewording the documentation for the method making it more clear what it should and should not be used for. I would like to see the method changed to properly escape single-quotes, but if it is not changed, the documentation should explicitly say this method does not make input safe for inclusion in HTML.
Well, it does make the input safe for inclusion in HTML...in a
double-quoted attribute.
The docs could make it clearer that you should always use double- quotes around your attribute values when using it, though, I agree.
- Previous message: [Python-Dev] Use of cgi.escape can lead to XSS vulnerabilities
- Next message: [Python-Dev] WPython 1.1 was released
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]