From a2aa1ac42b02e473a00cd1be225c750726869b41 Mon Sep 17 00:00:00 2001
From: Georg Brandl <georg@python.org>
Date: Sun, 26 Jun 2005 21:33:14 +0000
Subject: [PATCH] bug [ 1100201 ] Cross-site scripting on BaseHTTPServer

---
 Lib/BaseHTTPServer.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Lib/BaseHTTPServer.py b/Lib/BaseHTTPServer.py
index 27ac513802..722b50cea3 100644
--- a/Lib/BaseHTTPServer.py
+++ b/Lib/BaseHTTPServer.py
@@ -89,6 +89,8 @@ DEFAULT_ERROR_MESSAGE = """\
 </body>
 """
 
+def _quote_html(html):
+    return html.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")
 
 class HTTPServer(SocketServer.TCPServer):
 
@@ -336,8 +338,9 @@ class BaseHTTPRequestHandler(SocketServer.StreamRequestHandler):
             message = short
         explain = long
         self.log_error("code %d, message %s", code, message)
+        # using _quote_html to prevent Cross Site Scripting attacks (see bug #1100201)
         content = (self.error_message_format %
-                   {'code': code, 'message': message, 'explain': explain})
+                   {'code': code, 'message': _quote_html(message), 'explain': explain})
         self.send_response(code, message)
         self.send_header("Content-Type", "text/html")
         self.send_header('Connection', 'close')
-- 
2.49.0