From b40d16b214d9164e6255857a63c729c5f65b017f Mon Sep 17 00:00:00 2001
Message-Id: <b40d16b214d9164e6255857a63c729c5f65b017f.1714838094.git.mdw@distorted.org.uk>
From: Mark Wooding <mdw@chiark.greenend.org.uk>
Date: Wed, 13 Mar 2013 14:41:51 +0000
Subject: [PATCH] cgi.py: Escape quote signs in `htmlescape' and
 `html_quotify'.
Organization: Straylight/Edgeware

From: Mark Wooding <mdw@distorted.org.uk>

This helps protect against XSS attacks.
---
 cgi.py | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/cgi.py b/cgi.py
index 0bd66cc..531a49c 100644
--- a/cgi.py
+++ b/cgi.py
@@ -59,7 +59,7 @@ CONF.DEFAULTS.update(
 ## Some handy regular expressions.
 R_URLESC = RX.compile('%([0-9a-fA-F]{2})')
 R_URLBAD = RX.compile('[^-\\w,.!]')
-R_HTMLBAD = RX.compile('[&<>]')
+R_HTMLBAD = RX.compile('[&<>\'"]')
 
 def urldecode(s):
   """Decode a single form-url-encoded string S."""
@@ -77,17 +77,18 @@ def htmlescape(s):
 
 ## Some standard character sequences, and HTML entity names for prettier
 ## versions.
-_quotify = U.StringSubst({
+html_quotify = U.StringSubst({
+  "<": '&lt;',
+  ">": '&gt;',
+  "&": '&amp;',
   "`": '&lsquo;',
   "'": '&rsquo;',
+  '"': '&quot;',
   "``": '&ldquo;',
   "''": '&rdquo;',
   "--": '&ndash;',
   "---": '&mdash;'
 })
-def html_quotify(s):
-  """Return a pretty HTML version of S."""
-  return _quotify(htmlescape(s))
 
 ###--------------------------------------------------------------------------
 ### Output machinery.
-- 
[mdw]