bpo-35603: Escape table header of make_table output that can cause potential XSS. (GH-11341)

2025-07-12 13:55:34 +00:00 · 2018-12-29 14:23:14 +05:30 · 2018-12-29 14:23:14 +05:30 · 78de01198b
commit 78de01198b
parent 1f511e1af0
3 changed files with 15 additions and 0 deletions
--- a/Lib/test/test_difflib.py
+++ b/Lib/test/test_difflib.py
@ -238,6 +238,15 @@ class TestSFpatches(unittest.TestCase):
        with open(findfile('test_difflib_expect.html')) as fp:
            self.assertEqual(actual, fp.read())

+    def test_make_table_escape_table_header(self):
+        html_diff = difflib.HtmlDiff()
+        output = html_diff.make_table(patch914575_from1.splitlines(),
+                                      patch914575_to1.splitlines(),
+                                      fromdesc='<from>',
+                                      todesc='<to>')
+        self.assertIn('&lt;from&gt;', output)
+        self.assertIn('&lt;to&gt;', output)
+
    def test_recursion_limit(self):
        # Check if the problem described in patch #1413711 exists.
        limit = sys.getrecursionlimit()