Skip to content

bpo-35603: Escape table header of make_table output that can cause potential XSS #11341

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
Dec 29, 2018
Merged

bpo-35603: Escape table header of make_table output that can cause potential XSS #11341

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9c29a77
Escape table header output of HtmlDiff.make_table
tirkarthi Dec 28, 2018
c096b77
Add news entry
tirkarthi Dec 28, 2018
2f6be82
Fix test to use make_table
tirkarthi Dec 28, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions Lib/difflib.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2036,6 +2036,10 @@ def make_table(self,fromlines,tolines,fromdesc='',todesc='',context=False,
s.append( fmt % (next_id[i],next_href[i],fromlist[i],
next_href[i],tolist[i]))
if fromdesc or todesc:
fromdesc = fromdesc.replace("&", "&").replace(">", ">") \
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not use html.escape()?

Copy link
Member Author

@tirkarthi tirkarthi Dec 28, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I thought about the same but text which was encoded was using the logic inlined and there was some discussion in the issue about just inlining the logic to avoid dependency at https://bugs.python.org/issue914575#msg45518 which I realize now is about xml.sax and not html.

html module was also importing entities at

cpython/Lib/html/__init__.py

Line 6 in c465682

from html.entities import html5 as _html5
that seemed little import heavy for me. But if it's okay to import html then I think it's good to use html.escape across the module to avoid duplicate code.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Well, for a bug fix we can keep an inlined code and consider using html.escape() in a separate issue.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure, thanks for the review.

.replace("<", "&lt;")
todesc = todesc.replace("&", "&amp;").replace(">", "&gt;") \
.replace("<", "&lt;")
header_row = '<thead><tr>%s%s%s%s</tr></thead>' % (
'<th class="diff_next"><br /></th>',
'<th colspan="2" class="diff_header">%s</th>' % fromdesc,
Expand Down
9 changes: 9 additions & 0 deletions Lib/test/test_difflib.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -238,6 +238,15 @@ def test_html_diff(self):
with open(findfile('test_difflib_expect.html')) as fp:
self.assertEqual(actual, fp.read())

def test_make_table_escape_table_header(self):
html_diff = difflib.HtmlDiff()
output = html_diff.make_table(patch914575_from1.splitlines(),
patch914575_to1.splitlines(),
fromdesc='<from>',
todesc='<to>')
self.assertIn('&lt;from&gt;', output)
self.assertIn('&lt;to&gt;', output)

def test_recursion_limit(self):
# Check if the problem described in patch #1413711 exists.
limit = sys.getrecursionlimit()
Expand Down
2 changes: 2 additions & 0 deletions Misc/NEWS.d/next/Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
Escape table header output of :meth:`difflib.HtmlDiff.make_table`.
Patch by Karthikeyan Singaravelan.