diff --git a/paste/auth/open_id.py b/paste/auth/open_id.py
index 0ec3f3d..9889bcc 100644
--- a/paste/auth/open_id.py
+++ b/paste/auth/open_id.py
@@ -55,7 +55,7 @@
 
 __all__ = ['AuthOpenIDHandler']
 
-import cgi
+import html
 import urlparse
 import re
 
@@ -63,7 +63,7 @@
 from paste import httpexceptions
 
 def quoteattr(s):
-    qs = cgi.escape(s, 1)
+    qs = html.escape(s)
     return '"%s"' % (qs,)
 
 # You may need to manually add the openid package into your
@@ -200,7 +200,7 @@ def do_verify(self, request):
             else:
                 fmt = 'Could not find OpenID information in <q>%s</q>'
 
-            message = fmt % (cgi.escape(openid_url),)
+            message = fmt % (html.escape(openid_url),)
             return self.render(request, message, css_class='error', form_contents=openid_url)
         elif status == consumer.SUCCESS:
             # The URL was a valid identity URL. Now we construct a URL
@@ -245,7 +245,7 @@ def do_process(self, request):
             # message to help the user figure out what happened.
             openid_url = info
             fmt = "Verification of %s failed."
-            message = fmt % (cgi.escape(openid_url),)
+            message = fmt % (html.escape(openid_url),)
         elif status == consumer.SUCCESS:
             # Success means that the transaction completed without
             # error. If info is None, it means that the user cancelled
@@ -266,7 +266,7 @@ def do_process(self, request):
                     fmt = ("If you had supplied a login redirect path, you would have "
                            "been redirected there.  "
                            "You have successfully verified %s as your identity.")
-                    message = fmt % (cgi.escape(openid_url),)
+                    message = fmt % (html.escape(openid_url),)
                 else:
                     # @@: This stuff doesn't make sense to me; why not a remote redirect?
                     request['environ']['paste.auth.open_id'] = openid_url
diff --git a/paste/debug/doctest_webapp.py b/paste/debug/doctest_webapp.py
index f86c508..671d8ad 100755
--- a/paste/debug/doctest_webapp.py
+++ b/paste/debug/doctest_webapp.py
@@ -14,7 +14,7 @@
 import sys
 import shutil
 import re
-import cgi
+import html
 import rfc822
 from io import StringIO
 from paste.util import PySourceColor
@@ -214,7 +214,7 @@ def show_file(path, version, description=None, data=None):
         html = ('<div class="source-code">%s</div>'
                 % PySourceColor.str2html(data, PySourceColor.dark))
     else:
-        html = '<pre class="source-code">%s</pre>' % cgi.escape(data, 1)
+        html = '<pre class="source-code">%s</pre>' % html.escape(data)
     html = '<span class="source-filename">%s</span><br>%s' % (
         description or path, html)
     write_data(resource_filename('%s.%s.gen.html' % (path, version)),
diff --git a/paste/debug/prints.py b/paste/debug/prints.py
index 87a19ac..8286fbc 100644
--- a/paste/debug/prints.py
+++ b/paste/debug/prints.py
@@ -19,7 +19,7 @@
 
 from io import StringIO
 import re
-import cgi
+import html
 from paste.util import threadedprint
 from paste import wsgilib
 from paste import response
@@ -132,7 +132,7 @@ def remove_printdebug():
     def add_log(self, html, log):
         if not log:
             return html
-        text = cgi.escape(log)
+        text = html.escape(log)
         text = text.replace('\n', '<br>')
         text = text.replace('  ', '&nbsp; ')
         match = self._explicit_re.search(html)
diff --git a/paste/debug/profile.py b/paste/debug/profile.py
index fdbee74..f069ed9 100644
--- a/paste/debug/profile.py
+++ b/paste/debug/profile.py
@@ -11,7 +11,7 @@
 import hotshot
 import hotshot.stats
 import threading
-import cgi
+import html
 import time
 from io import StringIO
 from paste import response
@@ -78,7 +78,7 @@ def run_app():
             output_callers = capture_output(
                 stats.print_callers, self.limit)
             body += '<pre style="%s">%s\n%s</pre>' % (
-                self.style, cgi.escape(output), cgi.escape(output_callers))
+                self.style, html.escape(output), html.escape(output_callers))
             return [body]
         finally:
             self.lock.release()
diff --git a/paste/debug/watchthreads.py b/paste/debug/watchthreads.py
index 22fc035..098e2de 100644
--- a/paste/debug/watchthreads.py
+++ b/paste/debug/watchthreads.py
@@ -3,7 +3,6 @@
 threads there are and report on any wedged threads.
 """
 import sys
-import cgi
 import time
 import traceback
 from io import StringIO
diff --git a/paste/debug/wdg_validate.py b/paste/debug/wdg_validate.py
index a9d72dd..e7520d1 100644
--- a/paste/debug/wdg_validate.py
+++ b/paste/debug/wdg_validate.py
@@ -9,7 +9,7 @@
 import subprocess
 from paste.response import header_value
 import re
-import cgi
+import html
 
 __all__ = ['WDGValidateMiddleware']
 
@@ -95,7 +95,7 @@ def call_wdg_validate(self, wdg_path, ops, page):
     def add_error(self, html_page, html_errors):
         add_text = ('<pre style="background-color: #ffd; color: #600; '
                     'border: 1px solid #000;">%s</pre>'
-                    % cgi.escape(html_errors))
+                    % html.escape(html_errors))
         match = self._end_body_regex.search(html_page)
         if match:
             return [html_page[:match.start()]
diff --git a/paste/exceptions/errormiddleware.py b/paste/exceptions/errormiddleware.py
index 2fabcb8..a2bbb93 100644
--- a/paste/exceptions/errormiddleware.py
+++ b/paste/exceptions/errormiddleware.py
@@ -6,7 +6,7 @@
 """
 import sys
 import traceback
-import cgi
+import html
 from io import StringIO
 from paste.exceptions import formatter, collector, reporter
 from paste import wsgilib
@@ -428,7 +428,7 @@ def send_report(rep, exc_data, html=True):
 
             <pre>%s</pre>
             </p>""" % (
-                cgi.escape(str(rep)), output.getvalue())
+                html.escape(str(rep)), output.getvalue())
         else:
             return (
                 "Additionally an error occurred while sending the "