[New-bugs-announce] [issue35603] table header in output of difflib.HtmlDiff.make_table is not escaped and can be rendered as code in the browser

Karthikeyan Singaravelan report at bugs.python.org
Fri Dec 28 04:18:00 EST 2018 

New submission from Karthikeyan Singaravelan <tir.karthi at gmail.com>:

HtmlDiff.make_table takes fromdesc and todesc that are not escaped causing problems while rendering html when they contain tags like fromdesc="<from>", todesc="<to>". There is no validation for them to be filenames so they could be arbitrary strings. Since contents of the table are escaped I think it's good to escape headers too since they might lead to the browser to execute the headers as code and potential XSS. I don't think it's worthy of adding security type so I am adding behavior. Feel free to change the type if needed.

I could see no test failures on applying my patch and I will push a PR with a test.

Current output : (<from> and <to> are not escaped in the output)

$ python3 -c 'import difflib; print(difflib.HtmlDiff().make_table(["<a> hello </a>"], ["<b> hello </b>"], fromdesc="<from>", todesc="<to>"))'

    <table class="diff" id="difflib_chg_to0__top"
           cellspacing="0" cellpadding="0" rules="groups" >
        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
        <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
        <thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header"><from></th><th class="diff_next"><br /></th><th colspan="2" class="diff_header"><to></th></tr></thead>
        <tbody>
            <tr><td class="diff_next" id="difflib_chg_to0__0"><a href="#difflib_chg_to0__top">t</a></td><td class="diff_header" id="from0_1">1</td><td nowrap="nowrap"><<span class="diff_chg">a</span>> hello </<span class="diff_chg">a</span>></td><td class="diff_next"><a href="#difflib_chg_to0__top">t</a></td><td class="diff_header" id="to0_1">1</td><td nowrap="nowrap"><<span class="diff_chg">b</span>> hello </<span class="diff_chg">b</span>></td></tr>
        </tbody>
    </table>

----------
components: Library (Lib)
messages: 332648
nosy: xtreak
priority: normal
severity: normal
status: open
title: table header in output of difflib.HtmlDiff.make_table is not escaped and can be rendered as code in the browser
type: behavior
versions: Python 3.7, Python 3.8

_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue35603>
_______________________________________

More information about the New-bugs-announce mailing list