From: Georg Brandl <georg@python.org>
Date: Tue, 15 May 2007 20:19:42 +0000 (+0000)
Subject: HTML-escape the plain traceback in cgitb's HTML output, to prevent
X-Git-Tag: v2.4.5c1~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=05d9f30f9612cb8bbed8f2224840027c3e027e03;p=thirdparty%2FPython%2Fcpython.git

HTML-escape the plain traceback in cgitb's HTML output, to prevent
the traceback inadvertently or maliciously closing the comment and
injecting HTML into the error page.
 (backport from rev. 55348)
---

diff --git a/Lib/cgitb.py b/Lib/cgitb.py
index a52800afef55..86e4eb9a2eaa 100644
--- a/Lib/cgitb.py
+++ b/Lib/cgitb.py
@@ -182,7 +182,8 @@ function calls leading up to the error, in the order they occurred.</p>'''
 
 %s
 -->
-''' % ''.join(traceback.format_exception(etype, evalue, etb))
+''' % pydoc.html.escape(
+          ''.join(traceback.format_exception(etype, evalue, etb)))
 
 def text((etype, evalue, etb), context=5):
     """Return a plain text document describing a given traceback."""
diff --git a/Misc/NEWS b/Misc/NEWS
index 280b6aa34936..e8ea8cc01a58 100644
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -26,6 +26,10 @@ Extension Modules
 Library
 -------
 
+- HTML-escape the plain traceback in cgitb's HTML output, to prevent
+  the traceback inadvertently or maliciously closing the comment and
+  injecting HTML into the error page.
+
 - idle: Honor the "Cancel" action in the save dialog (Debian bug #299092).
 
 Tests