Created attachment 1190639 [details] the markdown file Description of problem: If a website developed by python-flask or other werkzeug-base framework run in debug mode which use the Debugger of werkzeug,it may be XSS by triggering an error。 Version-Release number of selected component (if applicable): <= 0.11.10 How reproducible: Steps to Reproduce: 1. For example, a common Flask code: from flask import Flask, request app = Flask(__name__) @app.route("/xss-debug-test/", methods=['POST']) def xss_debug_test(): id = int(request.form['id']) # or id = int(request.args.get('id')) return "XSS" if __name__ == "__main__": app.run(debug=True) 2. If the hacker posted “id=1</textarea><script>alert(/XSS/)</script>” to the url "/xss-debug-test/", the JavaScript in payload will be run in client. Additional info: The problem code is in the werkzeug/debug/tbtools.py, line 349: def render_full(self, evalex=False, secret=None, evalex_trusted=True): """Render the Full HTML page with the traceback info.""" exc = escape(self.exception) # the exception info use the escape method return PAGE_HTML % { 'evalex': evalex and 'true' or 'false', 'evalex_trusted': evalex_trusted and 'true' or 'false', 'console': 'false', 'title': exc, 'exception': exc, 'exception_type': escape(self.exception_type), 'summary': self.render_summary(include_title=False), 'plaintext': self.plaintext, # the plaintext did not use the escape method 'plaintext_cs': re.sub('-{2,}', '-', self.plaintext), 'traceback_id': self.id, 'secret': secret } See the code, the 'exc' variable use the escape method, but the 'plaintext' variable did not use. And it contained the exception info too in generate_plaintext_traceback function.
You can report it upstream (https://github.com/pallets/werkzeug), but in practice I think it's not really an issue. The debugger should never be enabled in production, as per the docs (http://werkzeug.pocoo.org/docs/0.11/debug/#debugger-pin) "Never enable the debugger in production."
*** Bug 1366833 has been marked as a duplicate of this bug. ***