HTML encode the docstrings in the Django jsonrpc_map

jsonrpc/backend/django.py

@@ -1,5 +1,6 @@
 from __future__ import absolute_import
 
+from django.utils.html import format_html_join, format_html
 from django.views.decorators.csrf import csrf_exempt
 from django.conf.urls import url
 from django.http import HttpResponse, HttpResponseNotAllowed
@@ -69,13 +70,16 @@ def serialize(s):
     def jsonrpc_map(self, request):
         """ Map of json-rpc available calls.
 
-        :return str:
+        :return HttpResponse:
 
         """
-        result = "<h1>JSON-RPC map</h1><pre>{0}</pre>".format("\n\n".join([
-            "{0}: {1}".format(fname, f.__doc__)
-            for fname, f in self.dispatcher.items()
-        ]))
+        result = format_html(
+            "<h1>JSON-RPC map</h1><pre>{0}</pre>",
+            format_html_join(
+                "\n\n", "{0}: {1}",
+                ((fname, f.__doc__) for fname, f in self.dispatcher.items()),
+            ),
+        )
         return HttpResponse(result)
 
 

jsonrpc/tests/test_backend_django/tests.py

@@ -67,6 +67,20 @@ def test_resource_map(self):
         data = response.content.decode('utf8')
         self.assertIn("JSON-RPC map", data)
 
+    def test_resource_map_is_html_encoded(self):
+        @api.dispatcher.add_method
+        def dummy():
+            """Docstring with <tag> & ampersand"""
+            return ""
+
+        response = self.client.get('/map')
+        self.assertEqual(response.status_code, 200)
+        decoded_content = response.content.decode('utf8')
+        self.assertIn("&lt;", decoded_content)
+        self.assertIn("&gt;", decoded_content)
+        self.assertIn("&amp;", decoded_content)
+        self.assertNotIn("<tag>", decoded_content)
+
     def test_method_not_allowed_prefix(self):
         response = self.client.get(
             '/prefix',