Issue 26398: cgi.escape() Can Lead To XSS and HTML Vulnerabilities

➜

This issue tracker has been migrated to GitHub , and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

This issue has been migrated to GitHub: https://github.com/python/cpython/issues/70586

classification

Title:	cgi.escape() Can Lead To XSS and HTML Vulnerabilities
Type:	security	Stage:
Components:	Documentation	Versions:	Python 3.6, Python 3.4, Python 3.5, Python 2.7

process

Status:	closed	Resolution:	fixed
Dependencies:	Superseder:	cgi.escape Can Lead To XSS Vulnerabilities View: 9061
Assigned To:	docs@python	Nosy List:	Dhiraj_Mishra, christian.heimes, docs@python, dstufft, georg.brandl, gregory.p.smith, martin.panter
Priority:	normal	Keywords:

Created on 2016年02月21日 09:45 by Dhiraj_Mishra, last changed 2022年04月11日 14:58 by admin. This issue is now closed.

Files
File name	Uploaded	Description	Edit
CGI.ESCAPE_2.png	Dhiraj_Mishra, 2016年02月21日 09:45	File is Demonstrating the Bug of cgi.escape() please have a look.
cgi.escape_Dhiraj_Mishra.png	Dhiraj_Mishra, 2016年02月22日 03:06
Python-IDLE-CGI-Vulnerable.png	Dhiraj_Mishra, 2016年02月23日 13:06

Messages (7)
msg260600 - (view)	Author: Dhiraj (Dhiraj_Mishra) *	Date: 2016年02月21日 09:45
The Pre-defined Module cgi.escape() can lead to XSS or HTMLi in every Version of Python. Example : import cgi test = "<h1>Vulnerable</h1>" cgi.escape(test) Works Properly all the Charters are escape properly but , Example 2: import cgi test2 = ' " ' cgi.escape(test2) Do not works Fine and the ' " ' Character is not escape properly and this may cause and XSS or HTMLi Please find the Attachments Below (PFA) The Python Security Expert says : " - The behavior of the cgi.escape() function is not a bug. It works exactly as documented in the Python documentation, https://docs.python.org/2/library/cgi.html#cgi.escape - By default the cgi.escape() function only escapes the three chars '<', '>' and '&'. The double quote char '"' is not quoted unless you cann cgi.escape() with quote=True. The default mode is suitable for escaping blocks of text that may contain HTML." He says that if the quote = True then its not Vulnerable. Example : cgi.escape('<h1>"ä"</h1>', quote=True) But Many Websites Developers and many popular Companies forget to implement the quote = True function and this may cause XSS and HTMLi According to me there should be a Predefine value in cgi.escape() which makes quote = True , then it will not be Vulnerable. I hope this will be patched soon and will be Updated. Thank You (PFA) Dhiraj Mishra Bug
msg260601 - (view)	Author: Martin Panter (martin.panter) * (Python committer)	Date: 2016年02月21日 10:09
The Python 3 documentation <https://docs.python.org/3/library/cgi.html#cgi.escape> says this is deprecated in favour of html.escape(), which by default has quote=True. AFAIK there is no equivalent in Python 2. See Issue 2830 for the addition of html.escape(), and also Issue 9061 about cgi.escape() introducing vulnerabilities.
msg260610 - (view)	Author: Dhiraj (Dhiraj_Mishra) *	Date: 2016年02月21日 12:31
Hello @martin.panter okay But still the module cgi.escape() Vulnerable if the Python Docs have created a new html.escape so you might remove the cgi.escape() or Implement the quote = True in cgi.escape() Predefine as its in html.escape because Developer mostly use CGI. Its an Humble request , I hope I did well. Thank You martin.panter
msg260643 - (view)	Author: Georg Brandl (georg.brandl) * (Python committer)	Date: 2016年02月21日 21:56
I don't think there is anything to be done here. cgi.escape() is documented properly, deprecated in Python 3.x, and changing its implementation is not really an option now.
msg260654 - (view)	Author: Dhiraj (Dhiraj_Mishra) *	Date: 2016年02月22日 03:06
Hello @Georg Brandl PFA you'll be happy to find that python3.x is still vulnerable to cgi.escape() the module is not able to escape some values and can lead to XSS also. As @Martin Panter said now cgi.escape() is been replaced to html.escape() so accordingly cgi.escape() should have a Pr-define value " quote = True " which is not there in any Version of Python3.x or the module should be removed because we have html.escape() , Because many People still use's CGI in Web-Application. Thank You
msg260729 - (view)	Author: Dhiraj (Dhiraj_Mishra) *	Date: 2016年02月23日 13:06
Even the IDLE of Python is Vulnerable to CGI.ESCAPE() Please have a look on attachments , I hope this would be Patch Soon. Thank You
msg260740 - (view)	Author: Gregory P. Smith (gregory.p.smith) * (Python committer)	Date: 2016年02月23日 17:41
As pointed out, this is working as intended and is documented as such. That it isn't what you want is why Python 3 has html.escape() instead.

History
Date	User	Action	Args
2022年04月11日 14:58:27	admin	set	github: 70586
2016年02月23日 17:45:03	Dhiraj_Mishra	set	resolution: duplicate -> fixed
2016年02月23日 17:41:45	gregory.p.smith	set	status: open -> closed versions: + Python 2.7, Python 3.4, Python 3.5 superseder: cgi.escape Can Lead To XSS Vulnerabilities messages: + msg260740 resolution: duplicate
2016年02月23日 13:06:53	Dhiraj_Mishra	set	files: + Python-IDLE-CGI-Vulnerable.png nosy: + gregory.p.smith, dstufft messages: + msg260729 type: security
2016年02月22日 03:06:39	Dhiraj_Mishra	set	files: + cgi.escape_Dhiraj_Mishra.png messages: + msg260654
2016年02月21日 21:56:51	georg.brandl	set	nosy: + georg.brandl messages: + msg260643
2016年02月21日 17:29:42	christian.heimes	set	nosy: + christian.heimes
2016年02月21日 12:31:25	Dhiraj_Mishra	set	messages: + msg260610
2016年02月21日 10:09:30	martin.panter	set	nosy: + martin.panter messages: + msg260601 title: cgi.escape() Can Lead To XSS and HTMLi Vulnerabilities -> cgi.escape() Can Lead To XSS and HTML Vulnerabilities
2016年02月21日 09:45:59	Dhiraj_Mishra	create

homepage