Use html.escape() instead of cgi.escape()

Python 3.2+ deprecated cgi.escape() for html.escape(). And in 3.8 cgi.escape() has been completely removed. This patch conditional makes use of html.escape() for 3.2 and higher. Fixes issue #338 Signed-off-by: Eric Brown <browne@vmware.com>
PyCQA · Jul 15, 2018 · 0d9551c · 0d9551c
1 parent f099f24
commit 0d9551c
Showing 1 changed file with 12 additions and 5 deletions.
diff --git a/bandit/formatters/html.py b/bandit/formatters/html.py
@@ -150,15 +150,22 @@
 .. versionadded:: 0.14.0
 
 """
+from __future__ import absolute_import
 
-import cgi
 import logging
 import sys
 
+import six
+
 from bandit.core import docs_utils
 from bandit.core import test_properties
 from bandit.formatters import utils
 
+if not six.PY2:
+    from html import escape as html_escape
+else:
+    from cgi import escape as html_escape
+
 LOG = logging.getLogger(__name__)
 
 
@@ -342,15 +349,15 @@ def report(manager, fileobj, sev_level, conf_level, lines=-1):
     for index, issue in enumerate(issues):
         if not baseline or len(issues[issue]) == 1:
             candidates = ''
-            safe_code = cgi.escape(issue.get_code(lines, True).
-                                   strip('\n').lstrip(' '))
+            safe_code = html_escape(issue.get_code(lines, True).
+                                    strip('\n').lstrip(' '))
             code = code_block.format(code=safe_code)
         else:
             candidates_str = ''
             code = ''
             for candidate in issues[issue]:
-                candidate_code = cgi.escape(candidate.get_code(lines, True).
-                                            strip('\n').lstrip(' '))
+                candidate_code = html_escape(candidate.get_code(lines, True).
+                                             strip('\n').lstrip(' '))
                 candidates_str += candidate_issue.format(code=candidate_code)
 
             candidates = candidate_block.format(candidate_list=candidates_str)