[Python-checkins] bpo-35603: Escape table header of make_table output that can cause potential XSS. (GH-11341)
Serhiy Storchaka
webhook-mailer at python.org
Sat Dec 29 03:53:20 EST 2018
https://github.com/python/cpython/commit/78de01198b047347abc5e458851bb12c48429e24
commit: 78de01198b047347abc5e458851bb12c48429e24
branch: master
author: Xtreak <tir.karthi at gmail.com>
committer: Serhiy Storchaka <storchaka at gmail.com>
date: 2018-12-29T10:53:14+02:00
summary:
bpo-35603: Escape table header of make_table output that can cause potential XSS. (GH-11341)
files:
A Misc/NEWS.d/next/Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst
M Lib/difflib.py
M Lib/test/test_difflib.py
diff --git a/Lib/difflib.py b/Lib/difflib.py
index 887c3c26cae4..4571817b9823 100644
--- a/Lib/difflib.py
+++ b/Lib/difflib.py
@@ -2036,6 +2036,10 @@ def make_table(self,fromlines,tolines,fromdesc='',todesc='',context=False,
s.append( fmt % (next_id[i],next_href[i],fromlist[i],
next_href[i],tolist[i]))
if fromdesc or todesc:
+ fromdesc = fromdesc.replace("&", "&").replace(">", ">") \
+ .replace("<", "<")
+ todesc = todesc.replace("&", "&").replace(">", ">") \
+ .replace("<", "<")
header_row = '<thead><tr>%s%s%s%s</tr></thead>' % (
'<th class="diff_next"><br /></th>',
'<th colspan="2" class="diff_header">%s</th>' % fromdesc,
diff --git a/Lib/test/test_difflib.py b/Lib/test/test_difflib.py
index 745ccbd6659e..63ebdb0dc83b 100644
--- a/Lib/test/test_difflib.py
+++ b/Lib/test/test_difflib.py
@@ -238,6 +238,15 @@ def test_html_diff(self):
with open(findfile('test_difflib_expect.html')) as fp:
self.assertEqual(actual, fp.read())
+ def test_make_table_escape_table_header(self):
+ html_diff = difflib.HtmlDiff()
+ output = html_diff.make_table(patch914575_from1.splitlines(),
+ patch914575_to1.splitlines(),
+ fromdesc='<from>',
+ todesc='<to>')
+ self.assertIn('<from>', output)
+ self.assertIn('<to>', output)
+
def test_recursion_limit(self):
# Check if the problem described in patch #1413711 exists.
limit = sys.getrecursionlimit()
diff --git a/Misc/NEWS.d/next/Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst b/Misc/NEWS.d/next/Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst
new file mode 100644
index 000000000000..03150c3aa494
--- /dev/null
+++ b/Misc/NEWS.d/next/Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst
@@ -0,0 +1,2 @@
+Escape table header output of :meth:`difflib.HtmlDiff.make_table`.
+Patch by Karthikeyan Singaravelan.
More information about the Python-checkins
mailing list