mirrors/cpython
1
0
Fork 0
mirror of https://github.com/python/cpython.git synced 2025-08-22 17:55:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 11

bpo-35603: Escape table header of make_table output that can cause potential XSS. (GH-11341)

Browse source
This commit is contained in:
Xtreak 2018-12-29 14:23:14 +05:30 committed by Serhiy Storchaka
parent 1f511e1af0
commit 78de01198b
3 changed files with 15 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

4
Lib/difflib.py
View file

@ -2036,6 +2036,10 @@ class HtmlDiff(object):
s.append( fmt % (next_id[i],next_href[i],fromlist[i],
next_href[i],tolist[i]))
if fromdesc or todesc:
fromdesc = fromdesc.replace("&", "&").replace(">", ">") \
.replace("<", "&lt;")
todesc = todesc.replace("&", "&amp;").replace(">", "&gt;") \
.replace("<", "&lt;")
header_row = '<thead><tr>%s%s%s%s</tr></thead>' % (
'<th class="diff_next"><br /></th>',
'<th colspan="2" class="diff_header">%s</th>' % fromdesc,