HTML-escape the plain traceback in cgitb's HTML output, to prevent

the traceback inadvertently or maliciously closing the comment and injecting HTML into the error page.

HTML-escape the plain traceback in cgitb's HTML output, to prevent
the traceback inadvertently or maliciously closing the comment and injecting HTML into the error page.
a09a96a5 · Georg Brandl · 8be9ab84 · a09a96a5 · a09a96a5
Commit a09a96a5 authored May 15, 2007 by Georg Brandl
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

Lib/cgitb.py Lib/cgitb.py +2 -1

Misc/NEWS Misc/NEWS +4 -0

No files found.
--- a/Lib/cgitb.py
+++ b/Lib/cgitb.py
@@ -183,7 +183,8 @@ function calls leading up to the error, in the order they occurred.</p>'''
 %s
 -->
-''' % ''.join(traceback.format_exception(etype, evalue, etb))
+''' % pydoc.html.escape(
+          ''.join(traceback.format_exception(etype, evalue, etb)))
 def text((etype, evalue, etb), context=5):
    """Return a plain text document describing a given traceback."""

--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -207,6 +207,10 @@ Core and builtins
 Library
 -------
+- HTML-escape the plain traceback in cgitb's HTML output, to prevent
+  the traceback inadvertently or maliciously closing the comment and
+  injecting HTML into the error page.
 - The popen2 module and os.popen* are deprecated.  Use the subprocess module.
 - Added an optional credentials argument to SMTPHandler, for use with SMTP