Update mdx.py

[mrvanes]

This fixes an unescaped user input vulnerability

[coveralls]

Coverage decreased (-0.4%) to 81.531% when pulling 4d8133a on mrvanes:patch-1 into 2cb735c on IdentityPython:master.

[coveralls]

Coverage decreased (-0.4%) to 81.531% when pulling 4d8133a on mrvanes:patch-1 into 2cb735c on IdentityPython:master.

[coveralls]

Coverage decreased (-0.4%) to 81.531% when pulling 4d8133a on mrvanes:patch-1 into 2cb735c on IdentityPython:master.

[c00kiemon5ter]

https://docs.python.org/3/library/cgi.html#cgi.escape

Deprecated since version 3.2: This function is unsafe because quote is false by default, and therefore deprecated. Use html.escape() instead.

Maybe, we should use just html.escape

[mrvanes]

I did, but it is only available from 3.2 and pyFF is still in 2.7 land...

[leifj]

pyFF is 3.x and 2.x - all builds are built on 2.7, 3.5, 3.6, 3.7 - is there a six move we can use?

[mrvanes]

Maybe in master now, but our deploy is still a 2.7 venv. I expect many others are, due to legacy. Do you want to break all those installations without warning?

[leifj]

Yeah sorry. I took your comment to mean that pyFF didn't do 3.x but you meant that pyFF still needs to maintain backwards compat with 2.x.

[mrvanes]

I don't know six-fu, please consider this PR a best-effort favor to the community...

[c00kiemon5ter]

import six
if six.PY2:
    from cgi import escape
else:
    from html import escape

[mrvanes]

But is this compatible with the quote=True named parameter in the call later for html.escape?

[c00kiemon5ter]

yes, both interfaces are the same. The difference is that the default value for the quote parameter is False for cgi.escpae and True for html.escape. Setting the quote parameter yourself works for both modules ;-)

[leifj]

I'm fine merging this and fixing the six move myself

[leifj]

I will!

[leifj]

Kudos to Tirtha Mandal mandaltirtha17@gmail.com and Jonas Lejon jonas@triop.se who independently discovered this. Closes #160