HTML-escape the plain traceback in cgitb's HTML output, to prevent

the traceback inadvertently or maliciously closing the comment and
injecting HTML into the error page.
This commit is contained in:
Georg Brandl 2007-05-15 20:19:34 +00:00
parent 8be9ab8497
commit a09a96a544
2 changed files with 6 additions and 1 deletions

View File

@ -183,7 +183,8 @@ function calls leading up to the error, in the order they occurred.</p>'''
%s %s
--> -->
''' % ''.join(traceback.format_exception(etype, evalue, etb)) ''' % pydoc.html.escape(
''.join(traceback.format_exception(etype, evalue, etb)))
def text((etype, evalue, etb), context=5): def text((etype, evalue, etb), context=5):
"""Return a plain text document describing a given traceback.""" """Return a plain text document describing a given traceback."""

View File

@ -207,6 +207,10 @@ Core and builtins
Library Library
------- -------
- HTML-escape the plain traceback in cgitb's HTML output, to prevent
the traceback inadvertently or maliciously closing the comment and
injecting HTML into the error page.
- The popen2 module and os.popen* are deprecated. Use the subprocess module. - The popen2 module and os.popen* are deprecated. Use the subprocess module.
- Added an optional credentials argument to SMTPHandler, for use with SMTP - Added an optional credentials argument to SMTPHandler, for use with SMTP