bpo-35603: Escape table header of make_table output that can cause potential XSS. (GH-11341)

author: Xtreak <tir.karthi@gmail.com> 2018-12-29 08:53:14 (GMT)
committer: Serhiy Storchaka <storchaka@gmail.com> 2018-12-29 08:53:14 (GMT)
commit: 78de01198b047347abc5e458851bb12c48429e24 (patch)
tree: 283cae69008846284c79afa38dcf1ccd148a7238 /Lib/test/test_difflib.py
parent: 1f511e1af060e98fb789319a96076c06e7f98135 (diff)
download: cpython-78de01198b047347abc5e458851bb12c48429e24.zip
cpython-78de01198b047347abc5e458851bb12c48429e24.tar.gz
cpython-78de01198b047347abc5e458851bb12c48429e24.tar.bz2
1 files changed, 9 insertions, 0 deletions
diff --git a/Lib/test/test_difflib.py b/Lib/test/test_difflib.py
index 745ccbd..63ebdb0 100644
--- a/Lib/test/test_difflib.py
+++ b/Lib/test/test_difflib.py
@@ -238,6 +238,15 @@ class TestSFpatches(unittest.TestCase):
         with open(findfile('test_difflib_expect.html')) as fp:
             self.assertEqual(actual, fp.read())
 
+    def test_make_table_escape_table_header(self):
+        html_diff = difflib.HtmlDiff()
+        output = html_diff.make_table(patch914575_from1.splitlines(),
+                                      patch914575_to1.splitlines(),
+                                      fromdesc='<from>',
+                                      todesc='<to>')
+        self.assertIn('&lt;from&gt;', output)
+        self.assertIn('&lt;to&gt;', output)
+
     def test_recursion_limit(self):
         # Check if the problem described in patch #1413711 exists.
         limit = sys.getrecursionlimit()
author	Xtreak <tir.karthi@gmail.com>	2018-12-29 08:53:14 (GMT)
committer	Serhiy Storchaka <storchaka@gmail.com>	2018-12-29 08:53:14 (GMT)
commit	78de01198b047347abc5e458851bb12c48429e24 (patch)
tree	283cae69008846284c79afa38dcf1ccd148a7238 /Lib/test/test_difflib.py
parent	1f511e1af060e98fb789319a96076c06e7f98135 (diff)
download	cpython-78de01198b047347abc5e458851bb12c48429e24.zip cpython-78de01198b047347abc5e458851bb12c48429e24.tar.gz cpython-78de01198b047347abc5e458851bb12c48429e24.tar.bz2