Commits

Georg Brandl committed 26349a6

HTML-escape the plain traceback in cgitb's HTML output, to prevent
the traceback inadvertently or maliciously closing the comment and
injecting HTML into the error page.
(backport from rev. 55348)

Comments (0)

Files changed (2)

 
 %s
 -->
-''' % ''.join(traceback.format_exception(etype, evalue, etb))
+''' % pydoc.html.escape(
+          ''.join(traceback.format_exception(etype, evalue, etb)))
 
 def text((etype, evalue, etb), context=5):
     """Return a plain text document describing a given traceback."""
 Library
 -------
 
+- HTML-escape the plain traceback in cgitb's HTML output, to prevent
+  the traceback inadvertently or maliciously closing the comment and
+  injecting HTML into the error page.
+
 - idle: Honor the "Cancel" action in the save dialog (Debian bug #299092).
 
 Tests