When an exception occurs in a handler and PythonDebug is On, an error page is generated and returned to the client. The traceback and details of the exception will be output within a <pre></pre> section, however the content put in the section is included as is and no escaping is performed on special HTML characters. This means that if the details of the exception include any special HTML characters, it can stuff up the formatting of the page and/or information could on face value be lost.

For example the new importer will generate a specific exception where the response from a handler is not of the correct type.

  AssertionError: Handler has returned result or raised SERVER_RETURN
  exception with argument having non integer type. Type of value returned
  was <type 'module'>, whereas expected <type 'int'>.

Because this includes <> characters, it actuall displays in the resultant HTML page as:

  AssertionError: Handler has returned result or raised SERVER_RETURN
  exception with argument having non integer type. Type of value returned
  was , whereas expected .

The error reporter therefore should pass content through cgi.escape().