diff options
| author | Serhiy Storchaka <storchaka@gmail.com> | 2019-01-02 12:49:25 (GMT) |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-01-02 12:49:25 (GMT) |
| commit | 830ddc74c495ac1a5c03172a31006074967571a3 (patch) | |
| tree | d3ccaa516ce24b6c46553bb76e793192f08a86da | |
| parent | 3a374e0c5abe805667b71ffaaa7614781101ff4c (diff) | |
| download | cpython-830ddc74c495ac1a5c03172a31006074967571a3.zip cpython-830ddc74c495ac1a5c03172a31006074967571a3.tar.gz cpython-830ddc74c495ac1a5c03172a31006074967571a3.tar.bz2 | |
Revert "bpo-35603: Escape table header of make_table output that can cause potential XSS. (GH-11341)" (GH-11356)
This reverts commit 78de01198b047347abc5e458851bb12c48429e24.
| -rw-r--r-- | Lib/difflib.py | 4 | ||||
| -rw-r--r-- | Lib/test/test_difflib.py | 9 | ||||
| -rw-r--r-- | Misc/NEWS.d/next/Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst | 2 |
3 files changed, 0 insertions, 15 deletions
diff --git a/Lib/difflib.py b/Lib/difflib.py index 4571817..887c3c2 100644 --- a/Lib/difflib.py +++ b/Lib/difflib.py @@ -2036,10 +2036,6 @@ class HtmlDiff(object): s.append( fmt % (next_id[i],next_href[i],fromlist[i], next_href[i],tolist[i])) if fromdesc or todesc: - fromdesc = fromdesc.replace("&", "&").replace(">", ">") \ - .replace("<", "<") - todesc = todesc.replace("&", "&").replace(">", ">") \ - .replace("<", "<") header_row = '<thead><tr>%s%s%s%s</tr></thead>' % ( '<th class="diff_next"><br /></th>', '<th colspan="2" class="diff_header">%s</th>' % fromdesc, diff --git a/Lib/test/test_difflib.py b/Lib/test/test_difflib.py index 63ebdb0..745ccbd 100644 --- a/Lib/test/test_difflib.py +++ b/Lib/test/test_difflib.py @@ -238,15 +238,6 @@ class TestSFpatches(unittest.TestCase): with open(findfile('test_difflib_expect.html')) as fp: self.assertEqual(actual, fp.read()) - def test_make_table_escape_table_header(self): - html_diff = difflib.HtmlDiff() - output = html_diff.make_table(patch914575_from1.splitlines(), - patch914575_to1.splitlines(), - fromdesc='<from>', - todesc='<to>') - self.assertIn('<from>', output) - self.assertIn('<to>', output) - def test_recursion_limit(self): # Check if the problem described in patch #1413711 exists. limit = sys.getrecursionlimit() diff --git a/Misc/NEWS.d/next/Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst b/Misc/NEWS.d/next/Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst deleted file mode 100644 index 03150c3..0000000 --- a/Misc/NEWS.d/next/Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst +++ /dev/null @@ -1,2 +0,0 @@ -Escape table header output of :meth:`difflib.HtmlDiff.make_table`. -Patch by Karthikeyan Singaravelan. |