bpo-38243, xmlrpc.server: Escape the server_title (GH-16373)
Escape the server title of xmlrpc.server.DocXMLRPCServer when rendering the document page as HTML.
This commit is contained in:
Dong-hee Na
Victor Stinner
parent
dd6117c6d7
commit
e8650a4f8c
|
|
@ -1,5 +1,6 @@
|
||||||
from xmlrpc.server import DocXMLRPCServer
|
from xmlrpc.server import DocXMLRPCServer
|
||||||
import http.client
|
import http.client
|
||||||
|
import re
|
||||||
import sys
|
import sys
|
||||||
import threading
|
import threading
|
||||||
import unittest
|
import unittest
|
||||||
|
|
@ -192,6 +193,21 @@ class DocXMLRPCHTTPGETServer(unittest.TestCase):
|
||||||
b'method_annotation</strong></a>(x: bytes)</dt></dl>'),
|
b'method_annotation</strong></a>(x: bytes)</dt></dl>'),
|
||||||
response.read())
|
response.read())
|
||||||
|
|
||||||
|
def test_server_title_escape(self):
|
||||||
|
# bpo-38243: Ensure that the server title and documentation
|
||||||
|
# are escaped for HTML.
|
||||||
|
self.serv.set_server_title('test_title<script>')
|
||||||
|
self.serv.set_server_documentation('test_documentation<script>')
|
||||||
|
self.assertEqual('test_title<script>', self.serv.server_title)
|
||||||
|
self.assertEqual('test_documentation<script>',
|
||||||
|
self.serv.server_documentation)
|
||||||
|
|
||||||
|
generated = self.serv.generate_html_documentation()
|
||||||
|
title = re.search(r'<title>(.+?)</title>', generated).group()
|
||||||
|
documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
|
||||||
|
self.assertEqual('<title>Python: test_title<script></title>', title)
|
||||||
|
self.assertEqual('<p><tt>test_documentation<script></tt></p>', documentation)
|
||||||
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
if __name__ == '__main__':
|
||||||
unittest.main()
|
unittest.main()
|
||||||
|
|
|
||||||
|
|
@ -108,6 +108,7 @@ from xmlrpc.client import Fault, dumps, loads, gzip_encode, gzip_decode
|
||||||
from http.server import BaseHTTPRequestHandler
|
from http.server import BaseHTTPRequestHandler
|
||||||
from functools import partial
|
from functools import partial
|
||||||
from inspect import signature
|
from inspect import signature
|
||||||
|
import html
|
||||||
import http.server
|
import http.server
|
||||||
import socketserver
|
import socketserver
|
||||||
import sys
|
import sys
|
||||||
|
|
@ -894,7 +895,7 @@ class XMLRPCDocGenerator:
|
||||||
methods
|
methods
|
||||||
)
|
)
|
||||||
|
|
||||||
return documenter.page(self.server_title, documentation)
|
return documenter.page(html.escape(self.server_title), documentation)
|
||||||
|
|
||||||
class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
|
class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
|
||||||
"""XML-RPC and documentation request handler class.
|
"""XML-RPC and documentation request handler class.
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,3 @@
|
||||||
|
Escape the server title of :class:`xmlrpc.server.DocXMLRPCServer`
|
||||||
|
when rendering the document page as HTML.
|
||||||
|
(Contributed by Dong-hee Na in :issue:`38243`.)
|
||||||
Loading…
Reference in New Issue