[prev in list] [next in list] [prev in thread] [next in thread]
List: python-dev
Subject: Re: [Python-Dev] Use of cgi.escape can lead to XSS vulnerabilities
From: James Y Knight <foom () fuhm ! net>
Date: 2010-06-24 0:26:25
Message-ID: 09E6BE78-066E-4BCF-AA34-C6286CF8AB98 () fuhm ! net
[Download RAW message or body]
On Jun 22, 2010, at 5:14 PM, Craig Younkins wrote:
> I suggest rewording the documentation for the method making it more
> clear what it should and should not be used for. I would like to see
> the method changed to properly escape single-quotes, but if it is
> not changed, the documentation should explicitly say this method
> does not make input safe for inclusion in HTML.
Well, it *does* make the input safe for inclusion in HTML...in a
double-quoted attribute.
The docs could make it clearer that you should always use double-
quotes around your attribute values when using it, though, I agree.
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
http://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: http://mail.python.org/mailman/options/python-dev/python-dev%40progressive-comp.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic