Skip to content
Permalink
Browse files

bpo-35603: Escape table header of make_table output that can cause po…

…tential XSS. (GH-11341)
  • Loading branch information...
tirkarthi authored and serhiy-storchaka committed Dec 29, 2018
1 parent 1f511e1 commit 78de01198b047347abc5e458851bb12c48429e24
Showing with 15 additions and 0 deletions.
  1. +4 −0 Lib/difflib.py
  2. +9 −0 Lib/test/test_difflib.py
  3. +2 −0 Misc/NEWS.d/next/Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst
@@ -2036,6 +2036,10 @@ def make_table(self,fromlines,tolines,fromdesc='',todesc='',context=False,
s.append( fmt % (next_id[i],next_href[i],fromlist[i],
next_href[i],tolist[i]))
if fromdesc or todesc:
fromdesc = fromdesc.replace("&", "&").replace(">", ">") \
.replace("<", "&lt;")
todesc = todesc.replace("&", "&amp;").replace(">", "&gt;") \
.replace("<", "&lt;")
header_row = '<thead><tr>%s%s%s%s</tr></thead>' % (
'<th class="diff_next"><br /></th>',
'<th colspan="2" class="diff_header">%s</th>' % fromdesc,
@@ -238,6 +238,15 @@ def test_html_diff(self):
with open(findfile('test_difflib_expect.html')) as fp:
self.assertEqual(actual, fp.read())

def test_make_table_escape_table_header(self):
html_diff = difflib.HtmlDiff()
output = html_diff.make_table(patch914575_from1.splitlines(),
patch914575_to1.splitlines(),
fromdesc='<from>',
todesc='<to>')
self.assertIn('&lt;from&gt;', output)
self.assertIn('&lt;to&gt;', output)

def test_recursion_limit(self):
# Check if the problem described in patch #1413711 exists.
limit = sys.getrecursionlimit()
@@ -0,0 +1,2 @@
Escape table header output of :meth:`difflib.HtmlDiff.make_table`.
Patch by Karthikeyan Singaravelan.

0 comments on commit 78de011

Please sign in to comment.
You can’t perform that action at this time.