issue2550925 strip HTTP_PROXY environment variable if deployed as CGI and client sends an http PROXY header, the tainted HTTP_PROXY environment variable is created. It can affect calls using requests package or curl. A roundup admin would have to write detectors/extensions that use these mechanisms. Not exploitable in default config. See: https://httpoxy.org/

try:
    from html import escape as html_escape_ # python 3
    def html_escape(str, quote=False):
        # html_escape under python 3 sets quote to true by default
        # make it python 2 compatible
        return html_escape_(str, quote=quote)
except ImportError:
    from cgi import escape as html_escape # python 2 fallback