Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / python / cpython2 / a09a96a5440144f926c69250dab7b9bbf06bd789^! / .
commita09a96a5440144f926c69250dab7b9bbf06bd789[log] [tgz]
authorGeorg Brandl <georg@python.org>Tue May 15 20:19:34 2007 +0000
committerGeorg Brandl <georg@python.org>Tue May 15 20:19:34 2007 +0000
tree34ec2344498a9ab8708189cd0cbdf3038238fab5
parent8be9ab84979cc09caf41177f101089e4feaae65b [diff]
HTML-escape the plain traceback in cgitb's HTML output, to prevent
the traceback inadvertently or maliciously closing the comment and
injecting HTML into the error page.

diff --git a/Lib/cgitb.py b/Lib/cgitb.py
index 1c300b2..19b4149 100644
--- a/Lib/cgitb.py
+++ b/Lib/cgitb.py

@@ -183,7 +183,8 @@
 
 %s
 -->
-''' % ''.join(traceback.format_exception(etype, evalue, etb))
+''' % pydoc.html.escape(
+          ''.join(traceback.format_exception(etype, evalue, etb)))
 
 def text((etype, evalue, etb), context=5):
     """Return a plain text document describing a given traceback."""

diff --git a/Misc/NEWS b/Misc/NEWS
index 32531f6..79db74a 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS

@@ -207,6 +207,10 @@
 Library
 -------
 
+- HTML-escape the plain traceback in cgitb's HTML output, to prevent
+  the traceback inadvertently or maliciously closing the comment and
+  injecting HTML into the error page.
+
 - The popen2 module and os.popen* are deprecated.  Use the subprocess module.
 
 - Added an optional credentials argument to SMTPHandler, for use with SMTP