[issue35603] table header in output of difflib.HtmlDiff.make_table is not escaped and can be rendered as code in the browser
Karthikeyan Singaravelan
report at bugs.python.org
Sat Dec 29 11:09:24 EST 2018
Karthikeyan Singaravelan <tir.karthi at gmail.com> added the comment:
Thanks Serhiy for the input. I initially thought this should be escaped since content was escaped and the same for header since user input taken directly could result in XSS. Maybe someone might using this undocumented feature intentionally that might not be worth breaking.
I will make a PR for this to be noted in docs that the parameters are interpreted as HTML.
----------
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue35603>
_______________________________________
More information about the Python-bugs-list
mailing list