From 595806a913369749e44e032ef72ae2cb73b60ab5 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Fri, 24 Aug 2012 23:25:02 +0900
Subject: [PATCH] python: escape more variable when formatting
 error_message_format

---
 python/spdylay.pyx | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/python/spdylay.pyx b/python/spdylay.pyx
index c612042c..1e46a4e1 100644
--- a/python/spdylay.pyx
+++ b/python/spdylay.pyx
@@ -1143,6 +1143,7 @@ try:
 
         error_content_type = 'text/html; charset=UTF-8'
 
+        # Same HTML from Apache error page
         error_message_format = '''\
 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
 <html><head>
@@ -1167,8 +1168,11 @@ try:
             explain = longmsg
 
             content = self.error_message_format.format(\
-                code=code, reason = escape(message), explain=explain,
-                server=self.server_version, hostname=socket.getfqdn(),
+                code=code,
+                reason = escape(message),
+                explain=escape(explain),
+                server=escape(self.server_version),
+                hostname=escape(socket.getfqdn()),
                 port=self.server.server_address[1]).encode('UTF-8')
 
             self.send_response(code, message)