diff -r adb6b029b102 Lib/http/server.py --- a/Lib/http/server.py Wed Mar 09 15:02:31 2016 +0100 +++ b/Lib/http/server.py Sun Mar 20 02:09:45 2016 +0800 @@ -126,9 +126,6 @@ DEFAULT_ERROR_CONTENT_TYPE = "text/html;charset=utf-8" -def _quote_html(html): - return html.replace("&", "&").replace("<", "<").replace(">", ">") - class HTTPServer(socketserver.TCPServer): allow_reuse_address = 1 # Seems to make sense in testing environment @@ -443,9 +440,12 @@ if explain is None: explain = longmsg self.log_error("code %d, message %s", code, message) - # using _quote_html to prevent Cross Site Scripting attacks (see bug #1100201) - content = (self.error_message_format % - {'code': code, 'message': _quote_html(message), 'explain': _quote_html(explain)}) + # bug #1100201 + content = (self.error_message_format % { + 'code': code, + 'message': html.escape(message, False), + 'explain': html.escape(explain, False) + }) body = content.encode('UTF-8', 'replace') self.send_response(code, message) self.send_header("Content-Type", self.error_content_type) @@ -709,7 +709,7 @@ errors='surrogatepass') except UnicodeDecodeError: displaypath = urllib.parse.unquote(path) - displaypath = html.escape(displaypath) + displaypath = html.escape(displaypath, False) enc = sys.getfilesystemencoding() title = 'Directory listing for %s' % displaypath r.append('%s' % (urllib.parse.quote(linkname, errors='surrogatepass'), - html.escape(displayname))) + html.escape(displayname, False))) r.append('\n