HTML-escape the plain traceback in cgitb's HTML output, to prevent

the traceback inadvertently or maliciously closing the comment and
injecting HTML into the error page.
 (backport from rev. 55348)

diff --git a/Lib/cgitb.py b/Lib/cgitb.py
index 1c300b24ea30dceb9937af6f45fd7fc750b6acdb..19b4149f9f3a2aeacfea8c2b0a8ee83db3bec3ce 100644 (file)
--- a/Lib/cgitb.py
+++ b/Lib/cgitb.py
@@ -183,7 +183,8 @@ function calls leading up to the error, in the order they occurred.</p>'''
 
 %s
 -->
-''' % ''.join(traceback.format_exception(etype, evalue, etb))
+''' % pydoc.html.escape(
+          ''.join(traceback.format_exception(etype, evalue, etb)))
 
 def text((etype, evalue, etb), context=5):
     """Return a plain text document describing a given traceback."""

diff --git a/Misc/NEWS b/Misc/NEWS
index 65e176ed83e319c2e84fad8aedd5bf3f47797428..8e8254d906013775e764dacc7881a1708fc1eb6d 100644 (file)
--- a/Misc/NEWS
+++ b/Misc/NEWS
@@ -12,6 +12,10 @@ What's New in Python 2.5.2c1?
 Library
 -------
 
+- HTML-escape the plain traceback in cgitb's HTML output, to prevent
+  the traceback inadvertently or maliciously closing the comment and
+  injecting HTML into the error page.
+
 - Bug #1290505: Properly clear time.strptime's locale cache when the locale
   changes between calls.  Backport of r54646 and r54647.