Message 298226 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	Alex Corcoles
Recipients	Alex Corcoles
Date	2017-07-12.15:22:13
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<1499872933.79.0.21578188594.issue30909@psf.upfronthosting.co.za>
In-reply-to

Content
https://docs.python.org/3.7/library/xmlrpc.client.html says: """ When passing strings, characters special to XML such as <, >, and & will be automatically escaped. However, it’s the caller’s responsibility to ensure that the string is free of characters that aren’t allowed in XML, such as the control characters with ASCII values between 0 and 31 (except, of course, tab, newline and carriage return); failing to do this will result in an XML-RPC request that isn’t well-formed XML. If you have to pass arbitrary bytes via XML-RPC, use bytes or bytearray classes or the Binary wrapper class described below. """ The XML-RPC spec at http://xmlrpc.scripting.com/spec.html says: """ What characters are allowed in strings? Non-printable characters? Null characters? Can a "string" be used to hold an arbitrary chunk of binary data? Any characters are allowed in a string except < and &, which are encoded as < and &. A string can be used to encode binary data. """ I believe strings should be XML-escaped correctly or at the very least, an assertion should be made to ensure no malformed XML is ever generated.

https://docs.python.org/3.7/library/xmlrpc.client.html says:

"""
When passing strings, characters special to XML such as <, >, and & will be automatically escaped. However, it’s the caller’s responsibility to ensure that the string is free of characters that aren’t allowed in XML, such as the control characters with ASCII values between 0 and 31 (except, of course, tab, newline and carriage return); failing to do this will result in an XML-RPC request that isn’t well-formed XML. If you have to pass arbitrary bytes via XML-RPC, use bytes or bytearray classes or the Binary wrapper class described below.
"""

The XML-RPC spec at http://xmlrpc.scripting.com/spec.html says:

"""
What characters are allowed in strings? Non-printable characters? Null characters? Can a "string" be used to hold an arbitrary chunk of binary data?

Any characters are allowed in a string except < and &, which are encoded as &lt; and &amp;. A string can be used to encode binary data.
"""

I believe strings should be XML-escaped correctly or at the very least, an assertion should be made to ensure no malformed XML is ever generated.

History
Date	User	Action	Args
2017-07-12 15:22:13	Alex Corcoles	set	recipients: + Alex Corcoles
2017-07-12 15:22:13	Alex Corcoles	set	messageid: <1499872933.79.0.21578188594.issue30909@psf.upfronthosting.co.za>
2017-07-12 15:22:13	Alex Corcoles	link	issue30909 messages
2017-07-12 15:22:13	Alex Corcoles	create