From b41cde823d026f2adc21ef14b1c2e92b1006de06 Mon Sep 17 00:00:00 2001 From: Dong-hee Na Date: Sat, 28 Sep 2019 10:17:25 +0900 Subject: [PATCH 1/3] [2.7] bpo-38243: Escape the server title of DocXMLRPCServer when rendering --- a/Lib/DocXMLRPCServer.py +++ b/Lib/DocXMLRPCServer.py @@ -20,6 +20,16 @@ from SimpleXMLRPCServer import (SimpleXM CGIXMLRPCRequestHandler, resolve_dotted_attribute) + +def _html_escape_quote(s): + s = s.replace("&", "&") # Must be done first! + s = s.replace("<", "<") + s = s.replace(">", ">") + s = s.replace('"', """) + s = s.replace('\'', "'") + return s + + class ServerHTMLDoc(pydoc.HTMLDoc): """Class used to generate pydoc HTML document for a server""" @@ -210,7 +220,8 @@ class XMLRPCDocGenerator: methods ) - return documenter.page(self.server_title, documentation) + title = _html_escape_quote(self.server_title) + return documenter.page(title, documentation) class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler): """XML-RPC and documentation request handler class. --- a/Lib/test/test_docxmlrpc.py +++ b/Lib/test/test_docxmlrpc.py @@ -1,5 +1,6 @@ from DocXMLRPCServer import DocXMLRPCServer import httplib +import re import sys from test import test_support threading = test_support.import_module('threading') @@ -176,6 +177,25 @@ class DocXMLRPCHTTPGETServer(unittest.Te self.assertIn("""Try self.add, too.""", response.read()) + def test_server_title_escape(self): + """Test that the server title and documentation + are escaped for HTML. + """ + self.serv.set_server_title('test_title