diff options
author | Andrew M. Kuchling <amk@amk.ca> | 2004-03-31 20:17:56 (GMT) |
---|---|---|
committer | Andrew M. Kuchling <amk@amk.ca> | 2004-03-31 20:17:56 (GMT) |
commit | b67c94318ec85722ce01c03955d6fbf50e3f7aa9 (patch) | |
tree | f62df629a6f12fcce77475f2475eedc7f59651b8 | |
parent | fb66cd25406555124fbab964388d4a79a7bc792e (diff) | |
download | cpython-b67c94318ec85722ce01c03955d6fbf50e3f7aa9.zip cpython-b67c94318ec85722ce01c03955d6fbf50e3f7aa9.tar.gz cpython-b67c94318ec85722ce01c03955d6fbf50e3f7aa9.tar.bz2 |
[Bugfix candidate] Escape traceback type and value. There are probably additional cases where cgitb.py doesn't escape as paranoidly as it should (e.g. attribute names)
-rw-r--r-- | Lib/cgitb.py | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/Lib/cgitb.py b/Lib/cgitb.py index cd469ad..ab4c598 100644 --- a/Lib/cgitb.py +++ b/Lib/cgitb.py @@ -146,7 +146,8 @@ function calls leading up to the error, in the order they occurred.''' <table width="100%%" cellspacing=0 cellpadding=0 border=0> %s</table>''' % '\n'.join(rows)) - exception = ['<p>%s: %s' % (strong(str(etype)), str(evalue))] + exception = ['<p>%s: %s' % (strong(pydoc.html.escape(str(etype))), + pydoc.html.escape(str(evalue)))] if type(evalue) is types.InstanceType: for name in dir(evalue): if name[:1] == '_': continue |