diff options
author | Ian Bicking <ianb@colorstudy.com> | 2010-06-15 12:30:05 -0500 |
---|---|---|
committer | Ian Bicking <ianb@colorstudy.com> | 2010-06-15 12:30:05 -0500 |
commit | bde24c75563bee1f86eec96ec2bd9adac5b71e29 (patch) | |
tree | f9218976db1cfeccafb04a91fa75864aa2b7de2e /paste/util | |
parent | 15e51654e469e87a6974e46969e8ec1295937f96 (diff) | |
download | paste-bde24c75563bee1f86eec96ec2bd9adac5b71e29.tar.gz |
Fix XSS attacks as reported by Tim Wintle
Diffstat (limited to 'paste/util')
-rw-r--r-- | paste/util/quoting.py | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/paste/util/quoting.py b/paste/util/quoting.py index b596d7f..582cc40 100644 --- a/paste/util/quoting.py +++ b/paste/util/quoting.py @@ -76,6 +76,13 @@ def no_quote(s): """ return s +_comment_quote_re = re.compile(r'\-\s*\>') +def comment_quote(s): + """ + Quote that makes sure text can't escape a comment + """ + return _comment_quote_re.sub('->', str(s)) + url_quote = urllib.quote url_unquote = urllib.unquote |