Insecure python cgi documentation and tutorials are vulnerable to XSS.

[Georgi Guninski <gguninski () gmail com>]

Is there low hanging fruit for the following observation?

The documentation of the python cgi module is vulnerable to XSS
(cross site scripting)

https://docs.python.org/3/library/cgi.html

```
form = cgi.FieldStorage()
print("<p>name:", form["name"].value)
print("<p>addr:", form["addr"].value)
```

First result on google for "tutorial python cgi"
is https://www.tutorialspoint.com/python/python_cgi_programming.htm

And it is almost the same as the python doc.

I verified that setting ```name=<script>alert(document.domain)</script>```
will trigger dialog, demonstrating javascript is executed
on the cgi host.

I would expect that devs who read the docs or tutorials will write
vulnerable cgis.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/