Patch by Xiang Zhang.
DEFAULT_ERROR_CONTENT_TYPE = "text/html;charset=utf-8"
-def _quote_html(html):
- return html.replace("&", "&").replace("<", "<").replace(">", ">")
-
class HTTPServer(socketserver.TCPServer):
allow_reuse_address = 1 # Seems to make sense in testing environment
if explain is None:
explain = longmsg
self.log_error("code %d, message %s", code, message)
- # using _quote_html to prevent Cross Site Scripting attacks (see bug #1100201)
- content = (self.error_message_format %
- {'code': code, 'message': _quote_html(message), 'explain': _quote_html(explain)})
+ # HTML encode to prevent Cross Site Scripting attacks (see bug #1100201)
+ content = (self.error_message_format % {
+ 'code': code,
+ 'message': html.escape(message, quote=False),
+ 'explain': html.escape(explain, quote=False)
+ })
body = content.encode('UTF-8', 'replace')
self.send_response(code, message)
self.send_header("Content-Type", self.error_content_type)
errors='surrogatepass')
except UnicodeDecodeError:
displaypath = urllib.parse.unquote(path)
- displaypath = html.escape(displaypath)
+ displaypath = html.escape(displaypath, quote=False)
enc = sys.getfilesystemencoding()
title = 'Directory listing for %s' % displaypath
r.append('<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" '
r.append('<li><a href="%s">%s</a></li>'
% (urllib.parse.quote(linkname,
errors='surrogatepass'),
- html.escape(displayname)))
+ html.escape(displayname, quote=False)))
r.append('</ul>\n<hr>\n</body>\n</html>\n')
encoded = '\n'.join(r).encode(enc, 'surrogateescape')
f = io.BytesIO()
quotedname = urllib.parse.quote(filename, errors='surrogatepass')
self.assertIn(('href="%s"' % quotedname)
.encode(enc, 'surrogateescape'), body)
- self.assertIn(('>%s<' % html.escape(filename))
+ self.assertIn(('>%s<' % html.escape(filename, quote=False))
.encode(enc, 'surrogateescape'), body)
response = self.request(self.base_url + '/' + quotedname)
self.check_status_and_reason(response, HTTPStatus.OK,
self.assertEqual(response.getheader("Location"),
self.tempdir_name + "/?hi=1")
+ def test_html_escape_filename(self):
+ filename = '<test&>.txt'
+ fullpath = os.path.join(self.tempdir, filename)
+
+ try:
+ open(fullpath, 'w').close()
+ except OSError:
+ raise unittest.SkipTest('Can not create file %s on current file '
+ 'system' % filename)
+
+ try:
+ response = self.request(self.base_url + '/')
+ body = self.check_status_and_reason(response, HTTPStatus.OK)
+ enc = response.headers.get_content_charset()
+ finally:
+ os.unlink(fullpath) # avoid affecting test_undecodable_filename
+
+ self.assertIsNotNone(enc)
+ html_text = '>%s<' % html.escape(filename, quote=False)
+ self.assertIn(html_text.encode(enc), body)
+
cgi_file1 = """\
#!%s
self.assertFalse(self.handler.get_called)
self.assertEqual(self.handler.requestline, 'GET / HTTP/1.1')
+ def test_html_escape_on_error(self):
+ result = self.send_typical_request(
+ b'<script>alert("hello")</script> / HTTP/1.1')
+ result = b''.join(result)
+ text = '<script>alert("hello")</script>'
+ self.assertIn(html.escape(text, quote=False).encode('ascii'), result)
+
def test_close_connection(self):
# handle_one_request() should be repeatedly called until
# it sets close_connection
Library
-------
+- Issue #26585: Eliminate http.server._quote_html() and use
+ html.escape(quote=False). Patch by Xiang Zhang.
+
- Issue #26685: Raise OSError if closing a socket fails.
- Issue #16329: Add .webm to mimetypes.types_map. Patch by Giampaolo Rodola'.
projects / thirdparty / Python / cpython.git / commitdiff
