diff options
| author | Georg Brandl <georg@python.org> | 2007-05-15 20:19:39 +0000 |
|---|---|---|
| committer | Georg Brandl <georg@python.org> | 2007-05-15 20:19:39 +0000 |
| commit | 4c87581c328c0f0fc9cc477c62f5f1a37799ba8c (patch) | |
| tree | ddbf2952f076e7b1d05b6b3eddd3456af84b15cc | |
| parent | 0d338e4bc6b310dd91548aaac87073102055c084 (diff) | |
| download | cpython-git-4c87581c328c0f0fc9cc477c62f5f1a37799ba8c.tar.gz | |
HTML-escape the plain traceback in cgitb's HTML output, to prevent
the traceback inadvertently or maliciously closing the comment and
injecting HTML into the error page.
(backport from rev. 55348)
| -rw-r--r-- | Lib/cgitb.py | 3 | ||||
| -rw-r--r-- | Misc/NEWS | 4 |
2 files changed, 6 insertions, 1 deletions
diff --git a/Lib/cgitb.py b/Lib/cgitb.py index 1c300b24ea..19b4149f9f 100644 --- a/Lib/cgitb.py +++ b/Lib/cgitb.py @@ -183,7 +183,8 @@ function calls leading up to the error, in the order they occurred.</p>''' %s --> -''' % ''.join(traceback.format_exception(etype, evalue, etb)) +''' % pydoc.html.escape( + ''.join(traceback.format_exception(etype, evalue, etb))) def text((etype, evalue, etb), context=5): """Return a plain text document describing a given traceback.""" @@ -12,6 +12,10 @@ What's New in Python 2.5.2c1? Library ------- +- HTML-escape the plain traceback in cgitb's HTML output, to prevent + the traceback inadvertently or maliciously closing the comment and + injecting HTML into the error page. + - Bug #1290505: Properly clear time.strptime's locale cache when the locale changes between calls. Backport of r54646 and r54647. |