bpo-35603: Escape table header of make_table output that can cause potential XSS by tirkarthi · Pull Request #11341 · python/cpython

tirkarthi · 2018-12-28T09:44:29Z

fromdesc and todesc should be escaped since rendering unescaped HTML might lead to code execution in the browser rendering them as tags.

https://bugs.python.org/issue35603

serhiy-storchaka · 2018-12-28T11:12:01Z

Lib/difflib.py

                s.append( fmt % (next_id[i],next_href[i],fromlist[i],
                                           next_href[i],tolist[i]))
        if fromdesc or todesc:
+            fromdesc = fromdesc.replace("&", "&amp;").replace(">", "&gt;") \


Why not use html.escape()?

I thought about the same but text which was encoded was using the logic inlined and there was some discussion in the issue about just inlining the logic to avoid dependency at https://bugs.python.org/issue914575#msg45518 which I realize now is about xml.sax and not html.

html module was also importing entities at

cpython/Lib/html/__init__.py

Line 6 in c465682

from html.entities import html5 as _html5

that seemed little import heavy for me. But if it's okay to import html then I think it's good to use html.escape across the module to avoid duplicate code.

Well, for a bug fix we can keep an inlined code and consider using html.escape() in a separate issue.

Sure, thanks for the review.

serhiy-storchaka · 2018-12-28T11:57:37Z

Lib/difflib.py

                s.append( fmt % (next_id[i],next_href[i],fromlist[i],
                                           next_href[i],tolist[i]))
        if fromdesc or todesc:
+            fromdesc = fromdesc.replace("&", "&amp;").replace(">", "&gt;") \


Well, for a bug fix we can keep an inlined code and consider using html.escape() in a separate issue.

miss-islington · 2018-12-29T08:53:17Z

Thanks @tirkarthi for the PR, and @serhiy-storchaka for merging it 🌮🎉.. I'm working now to backport this PR to: 3.6, 3.7.
🐍🍒⛏🤖 I'm not a witch! I'm not a witch!

bedevere-bot · 2018-12-29T08:53:36Z

GH-11353 is a backport of this pull request to the 3.7 branch.

…tential XSS. (pythonGH-11341) (cherry picked from commit 78de011) Co-authored-by: Xtreak <tir.karthi@gmail.com>

bedevere-bot · 2018-12-29T08:53:45Z

GH-11354 is a backport of this pull request to the 3.6 branch.

…tential XSS. (pythonGH-11341) (cherry picked from commit 78de011) Co-authored-by: Xtreak <tir.karthi@gmail.com>

…cause potential XSS. (GH-11341)" This reverts commit 78de011.

…cause potential XSS. (GH-11341)" (GH-11356) This reverts commit 78de011.

tirkarthi added 3 commits December 28, 2018 14:51

Escape table header output of HtmlDiff.make_table

9c29a77

Add news entry

c096b77

Fix test to use make_table

2f6be82

the-knights-who-say-ni added the CLA signed label Dec 28, 2018

bedevere-bot added the awaiting review label Dec 28, 2018

serhiy-storchaka reviewed Dec 28, 2018

View reviewed changes

serhiy-storchaka approved these changes Dec 28, 2018

View reviewed changes

bedevere-bot added awaiting merge and removed awaiting review labels Dec 28, 2018

serhiy-storchaka added type-bug An unexpected behavior, bug, or error needs backport to 3.7 type-security A security issue labels Dec 28, 2018

serhiy-storchaka merged commit 78de011 into python:master Dec 29, 2018

bedevere-bot removed the awaiting merge label Dec 29, 2018

bedevere-bot removed the needs backport to 3.7 label Dec 29, 2018

bedevere-bot removed the needs backport to 3.6 label Dec 29, 2018

serhiy-storchaka added a commit that referenced this pull request Dec 29, 2018

Revert "bpo-35603: Escape table header of make_table output that can …

13514f5

…cause potential XSS. (GH-11341)" This reverts commit 78de011.

serhiy-storchaka mentioned this pull request Dec 29, 2018

Revert "bpo-35603: Escape table header of make_table output that can cause potential XSS" #11356

Merged

serhiy-storchaka added a commit that referenced this pull request Jan 2, 2019

Revert "bpo-35603: Escape table header of make_table output that can …

830ddc7

…cause potential XSS. (GH-11341)" (GH-11356) This reverts commit 78de011.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

bpo-35603: Escape table header of make_table output that can cause potential XSS#11341

bpo-35603: Escape table header of make_table output that can cause potential XSS#11341
serhiy-storchaka merged 3 commits intopython:masterfrom
tirkarthi:bpo35603

tirkarthi commented Dec 28, 2018 •

edited by bedevere-bot

Loading

Uh oh!

serhiy-storchaka Dec 28, 2018

Uh oh!

tirkarthi Dec 28, 2018 •

edited

Loading

Uh oh!

serhiy-storchaka Dec 28, 2018

Uh oh!

tirkarthi Dec 28, 2018

Uh oh!

serhiy-storchaka Dec 28, 2018

Uh oh!

miss-islington commented Dec 29, 2018

Uh oh!

bedevere-bot commented Dec 29, 2018

Uh oh!

bedevere-bot commented Dec 29, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

Uh oh!

Conversation

tirkarthi commented Dec 28, 2018 • edited by bedevere-bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

serhiy-storchaka Dec 28, 2018

Choose a reason for hiding this comment

Uh oh!

tirkarthi Dec 28, 2018 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

serhiy-storchaka Dec 28, 2018

Choose a reason for hiding this comment

Uh oh!

tirkarthi Dec 28, 2018

Choose a reason for hiding this comment

Uh oh!

serhiy-storchaka Dec 28, 2018

Choose a reason for hiding this comment

Uh oh!

miss-islington commented Dec 29, 2018

Uh oh!

bedevere-bot commented Dec 29, 2018

Uh oh!

bedevere-bot commented Dec 29, 2018

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

tirkarthi commented Dec 28, 2018 •

edited by bedevere-bot

Loading

tirkarthi Dec 28, 2018 •

edited

Loading