MarkupSafe 0.21 Released [Potentially Security Critical]
- From:
- Armin Ronacher
- Date:
- 2014-04-17 @ 09:57
Hi,
MarkupSafe 0.21 now implements Python 2.6 / 3.x string formatting correctly.
Previously only a tiny subset of new style string formatting was supported but
it did not warn or error on misuse. As a result if you used Markup.format you
might have been subject to XSS.
The following cases were not escaped:
- nested format access
- keyword arguments
This new version fixes this problem by fully implementing it. As a result
MarkupSafe now also defines __html_format__() as special method.
I would strongly recommend upgrading to the new version if you have been using
Markup.format before.
Regards,
Armin