I'm not too familiar with python HTTP handlers, but it seems that there are race conditions updating the central comment file.
The comment content needs significantly more filtering both on input and output. e.g. the form content to make sure there are no "\n" in the comment string itself. On output, it should be fully HTML escaped, not just for double quotes. See "from cgi import escape".
I'm not too familiar with python HTTP handlers, but it seems that there are race conditions updating the central comment file.
The comment content needs significantly more filtering both on input and output. e.g. the form content to make sure there are no "\n" in the comment string itself. On output, it should be fully HTML escaped, not just for double quotes. See "from cgi import escape".