Commits

Georg Brandl committed 26349a6

HTML-escape the plain traceback in cgitb's HTML output, to prevent
the traceback inadvertently or maliciously closing the comment and
injecting HTML into the error page.
(backport from rev. 55348)

  • Participants
  • Parent commits 13f3931
  • Branches 2.4

Comments (0)

Files changed (2)

 
 %s
 -->
-''' % ''.join(traceback.format_exception(etype, evalue, etb))
+''' % pydoc.html.escape(
+          ''.join(traceback.format_exception(etype, evalue, etb)))
 
 def text((etype, evalue, etb), context=5):
     """Return a plain text document describing a given traceback."""
 Library
 -------
 
+- HTML-escape the plain traceback in cgitb's HTML output, to prevent
+  the traceback inadvertently or maliciously closing the comment and
+  injecting HTML into the error page.
+
 - idle: Honor the "Cancel" action in the save dialog (Debian bug #299092).
 
 Tests