Message332648
HtmlDiff.make_table takes fromdesc and todesc that are not escaped causing problems while rendering html when they contain tags like fromdesc="<from>", todesc="<to>". There is no validation for them to be filenames so they could be arbitrary strings. Since contents of the table are escaped I think it's good to escape headers too since they might lead to the browser to execute the headers as code and potential XSS. I don't think it's worthy of adding security type so I am adding behavior. Feel free to change the type if needed.
I could see no test failures on applying my patch and I will push a PR with a test.
Current output : (<from> and <to> are not escaped in the output)
$ python3 -c 'import difflib; print(difflib.HtmlDiff().make_table(["<a> hello </a>"], ["<b> hello </b>"], fromdesc="<from>", todesc="<to>"))'
<table class="diff" id="difflib_chg_to0__top"
cellspacing="0" cellpadding="0" rules="groups" >
<colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
<colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup>
<thead><tr><th class="diff_next"><br /></th><th colspan="2" class="diff_header"><from></th><th class="diff_next"><br /></th><th colspan="2" class="diff_header"><to></th></tr></thead>
<tbody>
<tr><td class="diff_next" id="difflib_chg_to0__0"><a href="#difflib_chg_to0__top">t</a></td><td class="diff_header" id="from0_1">1</td><td nowrap="nowrap"><<span class="diff_chg">a</span>> hello </<span class="diff_chg">a</span>></td><td class="diff_next"><a href="#difflib_chg_to0__top">t</a></td><td class="diff_header" id="to0_1">1</td><td nowrap="nowrap"><<span class="diff_chg">b</span>> hello </<span class="diff_chg">b</span>></td></tr>
</tbody>
</table> |
|
Date |
User |
Action |
Args |
2018-12-28 09:18:03 | xtreak | set | recipients:
+ xtreak |
2018-12-28 09:18:00 | xtreak | set | messageid: <1545988680.87.0.068090288545.issue35603@roundup.psfhosted.org> |
2018-12-28 09:18:00 | xtreak | link | issue35603 messages |
2018-12-28 09:18:00 | xtreak | create | |
|