librelist archives

« back to archive

MarkupSafe 0.21 Released [Potentially Security Critical]

MarkupSafe 0.21 Released [Potentially Security Critical]

Armin Ronacher
2014-04-17 @ 09:57

MarkupSafe 0.21 now implements Python 2.6 / 3.x string formatting correctly. 
Previously only a tiny subset of new style string formatting was supported but 
it did not warn or error on misuse.  As a result if you used Markup.format you 
might have been subject to XSS.

The following cases were not escaped:

- nested format access
- keyword arguments

This new version fixes this problem by fully implementing it.  As a result 
MarkupSafe now also defines __html_format__() as special method.

I would strongly recommend upgrading to the new version if you have been using 
Markup.format before.