diff -r 56f25569ba86 Lib/test/test_xmlrpc.py --- a/Lib/test/test_xmlrpc.py Tue May 21 12:47:57 2013 +0300 +++ b/Lib/test/test_xmlrpc.py Wed May 22 15:07:36 2013 +0300 @@ -197,6 +197,12 @@ self.assertIs(type(newvalue), xmlrpclib.Binary) self.assertIsNone(m) + def test_dump_invalid_string(self): + for i in ((set(range(32)) - {9, 10, 13}) | + set(range(0xdc00, 0xc000)) | + {0xfffe, 0xffff}): + self.assertRaises(ValueError, xmlrpclib.dumps, (chr(i),)) + def test_get_host_info(self): # see bug #3613, this raised a TypeError transp = xmlrpc.client.Transport() diff -r 56f25569ba86 Lib/xmlrpc/client.py --- a/Lib/xmlrpc/client.py Tue May 21 12:47:57 2013 +0300 +++ b/Lib/xmlrpc/client.py Wed May 22 15:07:36 2013 +0300 @@ -137,6 +137,7 @@ import socket import errno from io import BytesIO +import re try: import gzip except ImportError: @@ -145,7 +146,13 @@ # -------------------------------------------------------------------- # Internal stuff +_invalid_chars_re = re.compile('[\x00-\x08\x0b\x0c\x0e-\x1f' + '\udc00-\udfff|\ufffe|\uffff]', re.S) + def escape(s): + if _invalid_chars_re.search(s): + raise ValueError('invalid string') + s = s.replace("&", "&") s = s.replace("<", "<") return s.replace(">", ">",)