summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSerhiy Storchaka <storchaka@gmail.com>2019-01-02 12:49:25 (GMT)
committerGitHub <noreply@github.com>2019-01-02 12:49:25 (GMT)
commit830ddc74c495ac1a5c03172a31006074967571a3 (patch)
treed3ccaa516ce24b6c46553bb76e793192f08a86da
parent3a374e0c5abe805667b71ffaaa7614781101ff4c (diff)
downloadcpython-830ddc74c495ac1a5c03172a31006074967571a3.zip
cpython-830ddc74c495ac1a5c03172a31006074967571a3.tar.gz
cpython-830ddc74c495ac1a5c03172a31006074967571a3.tar.bz2
Revert "bpo-35603: Escape table header of make_table output that can cause potential XSS. (GH-11341)" (GH-11356)
This reverts commit 78de01198b047347abc5e458851bb12c48429e24.
-rw-r--r--Lib/difflib.py4
-rw-r--r--Lib/test/test_difflib.py9
-rw-r--r--Misc/NEWS.d/next/Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst2
3 files changed, 0 insertions, 15 deletions
diff --git a/Lib/difflib.py b/Lib/difflib.py
index 4571817..887c3c2 100644
--- a/Lib/difflib.py
+++ b/Lib/difflib.py
@@ -2036,10 +2036,6 @@ class HtmlDiff(object):
s.append( fmt % (next_id[i],next_href[i],fromlist[i],
next_href[i],tolist[i]))
if fromdesc or todesc:
- fromdesc = fromdesc.replace("&", "&amp;").replace(">", "&gt;") \
- .replace("<", "&lt;")
- todesc = todesc.replace("&", "&amp;").replace(">", "&gt;") \
- .replace("<", "&lt;")
header_row = '<thead><tr>%s%s%s%s</tr></thead>' % (
'<th class="diff_next"><br /></th>',
'<th colspan="2" class="diff_header">%s</th>' % fromdesc,
diff --git a/Lib/test/test_difflib.py b/Lib/test/test_difflib.py
index 63ebdb0..745ccbd 100644
--- a/Lib/test/test_difflib.py
+++ b/Lib/test/test_difflib.py
@@ -238,15 +238,6 @@ class TestSFpatches(unittest.TestCase):
with open(findfile('test_difflib_expect.html')) as fp:
self.assertEqual(actual, fp.read())
- def test_make_table_escape_table_header(self):
- html_diff = difflib.HtmlDiff()
- output = html_diff.make_table(patch914575_from1.splitlines(),
- patch914575_to1.splitlines(),
- fromdesc='<from>',
- todesc='<to>')
- self.assertIn('&lt;from&gt;', output)
- self.assertIn('&lt;to&gt;', output)
-
def test_recursion_limit(self):
# Check if the problem described in patch #1413711 exists.
limit = sys.getrecursionlimit()
diff --git a/Misc/NEWS.d/next/Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst b/Misc/NEWS.d/next/Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst
deleted file mode 100644
index 03150c3..0000000
--- a/Misc/NEWS.d/next/Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Escape table header output of :meth:`difflib.HtmlDiff.make_table`.
-Patch by Karthikeyan Singaravelan.