[Bugfix candidate] Escape traceback type and value. There are probably additional cases where cgitb.py doesn't escape as paranoidly as it should (e.g. attribute names)
diff --git a/Lib/cgitb.py b/Lib/cgitb.py
index cd469ad..ab4c598 100644
--- a/Lib/cgitb.py
+++ b/Lib/cgitb.py
@@ -146,7 +146,8 @@
<table width="100%%" cellspacing=0 cellpadding=0 border=0>
%s</table>''' % '\n'.join(rows))
- exception = ['<p>%s: %s' % (strong(str(etype)), str(evalue))]
+ exception = ['<p>%s: %s' % (strong(pydoc.html.escape(str(etype))),
+ pydoc.html.escape(str(evalue)))]
if type(evalue) is types.InstanceType:
for name in dir(evalue):
if name[:1] == '_': continue