bug [ 1100201 ] Cross-site scripting on BaseHTTPServer

2025-08-02 16:13:13 +00:00 · 2005-06-26 21:33:14 +00:00 · 2005-06-26 21:33:14 +00:00 · a2aa1ac42b
commit a2aa1ac42b
parent 379f99dbc3
1 changed files with 4 additions and 1 deletions
--- a/Lib/BaseHTTPServer.py
+++ b/Lib/BaseHTTPServer.py
@ -89,6 +89,8 @@ DEFAULT_ERROR_MESSAGE = """\
 </body>
 """

+def _quote_html(html):
+    return html.replace("&", "&amp;").replace("<", "&lt;").replace(">", "&gt;")

 class HTTPServer(SocketServer.TCPServer):

@ -336,8 +338,9 @@ class BaseHTTPRequestHandler(SocketServer.StreamRequestHandler):
            message = short
        explain = long
        self.log_error("code %d, message %s", code, message)
+        # using _quote_html to prevent Cross Site Scripting attacks (see bug #1100201)
        content = (self.error_message_format %
-                   {'code': code, 'message': message, 'explain': explain})
+                   {'code': code, 'message': _quote_html(message), 'explain': explain})
        self.send_response(code, message)
        self.send_header("Content-Type", "text/html")
        self.send_header('Connection', 'close')