Commit 830ddc74 authored by Serhiy Storchaka's avatar Serhiy Storchaka Committed by GitHub

Revert "bpo-35603: Escape table header of make_table output that can cause...

Revert "bpo-35603: Escape table header of make_table output that can cause potential XSS. (GH-11341)" (GH-11356)

This reverts commit 78de0119.
parent 3a374e0c
...@@ -2036,10 +2036,6 @@ class HtmlDiff(object): ...@@ -2036,10 +2036,6 @@ class HtmlDiff(object):
s.append( fmt % (next_id[i],next_href[i],fromlist[i], s.append( fmt % (next_id[i],next_href[i],fromlist[i],
next_href[i],tolist[i])) next_href[i],tolist[i]))
if fromdesc or todesc: if fromdesc or todesc:
fromdesc = fromdesc.replace("&", "&").replace(">", ">") \
.replace("<", "&lt;")
todesc = todesc.replace("&", "&amp;").replace(">", "&gt;") \
.replace("<", "&lt;")
header_row = '<thead><tr>%s%s%s%s</tr></thead>' % ( header_row = '<thead><tr>%s%s%s%s</tr></thead>' % (
'<th class="diff_next"><br /></th>', '<th class="diff_next"><br /></th>',
'<th colspan="2" class="diff_header">%s</th>' % fromdesc, '<th colspan="2" class="diff_header">%s</th>' % fromdesc,
......
...@@ -238,15 +238,6 @@ class TestSFpatches(unittest.TestCase): ...@@ -238,15 +238,6 @@ class TestSFpatches(unittest.TestCase):
with open(findfile('test_difflib_expect.html')) as fp: with open(findfile('test_difflib_expect.html')) as fp:
self.assertEqual(actual, fp.read()) self.assertEqual(actual, fp.read())
def test_make_table_escape_table_header(self):
html_diff = difflib.HtmlDiff()
output = html_diff.make_table(patch914575_from1.splitlines(),
patch914575_to1.splitlines(),
fromdesc='<from>',
todesc='<to>')
self.assertIn('&lt;from&gt;', output)
self.assertIn('&lt;to&gt;', output)
def test_recursion_limit(self): def test_recursion_limit(self):
# Check if the problem described in patch #1413711 exists. # Check if the problem described in patch #1413711 exists.
limit = sys.getrecursionlimit() limit = sys.getrecursionlimit()
......
Escape table header output of :meth:`difflib.HtmlDiff.make_table`.
Patch by Karthikeyan Singaravelan.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment