HTML-escape the plain traceback in cgitb's HTML output, to prevent
the traceback inadvertently or maliciously closing the comment and injecting HTML into the error page.
This commit is contained in:
parent
8be9ab8497
commit
a09a96a544
|
@ -183,7 +183,8 @@ function calls leading up to the error, in the order they occurred.</p>'''
|
|||
|
||||
%s
|
||||
-->
|
||||
''' % ''.join(traceback.format_exception(etype, evalue, etb))
|
||||
''' % pydoc.html.escape(
|
||||
''.join(traceback.format_exception(etype, evalue, etb)))
|
||||
|
||||
def text((etype, evalue, etb), context=5):
|
||||
"""Return a plain text document describing a given traceback."""
|
||||
|
|
|
@ -207,6 +207,10 @@ Core and builtins
|
|||
Library
|
||||
-------
|
||||
|
||||
- HTML-escape the plain traceback in cgitb's HTML output, to prevent
|
||||
the traceback inadvertently or maliciously closing the comment and
|
||||
injecting HTML into the error page.
|
||||
|
||||
- The popen2 module and os.popen* are deprecated. Use the subprocess module.
|
||||
|
||||
- Added an optional credentials argument to SMTPHandler, for use with SMTP
|
||||
|
|
Loading…
Reference in New Issue