bpo-35603: Add a note on difflib table header interpreted as HTML (GH-11439)

2019-09-11 12:21:31 +01:00 · 2019-09-11 12:21:31 +01:00 · c78dae8d2b
parent 2d7cacacc3
commit c78dae8d2b
1 changed files with 4 additions and 0 deletions
--- a/Doc/library/difflib.rst
+++ b/Doc/library/difflib.rst
@ -127,6 +127,10 @@ diffs. For comparing directories and files, see also, the :mod:`filecmp` module.
      the next difference highlight at the top of the browser without any leading
      context).

+      .. note::
+         *fromdesc* and *todesc* are interpreted as unescaped HTML and should be
+         properly escaped while receiving input from untrusted sources.
+
      .. versionchanged:: 3.5
         *charset* keyword-only argument was added.  The default charset of
         HTML document changed from ``'ISO-8859-1'`` to ``'utf-8'``.