1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
# HG changeset patch
# User Zac Medico <zmedico@gentoo.org>
# Date 1494468556 25200
# Branch test-quote-html
# Node ID b8a28438442ec12cd4067fd3240d9afc8e6998da
# Parent a986296769f3fc4daa0f29fe28b857f43d05634d
Use html.escape for python3.6 compat
https://bitbucket.org/nikratio/python-dugong/pull-requests/3
diff --git a/test/test_dugong.py b/test/test_dugong.py
--- a/test/test_dugong.py
+++ b/test/test_dugong.py
@@ -24,7 +24,7 @@
from dugong import (HTTPConnection, BodyFollowing, CaseInsensitiveDict, _join,
ConnectionClosed)
import dugong
-from http.server import BaseHTTPRequestHandler, _quote_html
+from http.server import BaseHTTPRequestHandler
from io import TextIOWrapper
from base64 import b64encode
import http.client
@@ -34,6 +34,7 @@
import ssl
import re
import os
+import html
import hashlib
import threading
import socketserver
@@ -1163,9 +1164,12 @@
message = shortmsg
explain = longmsg
self.log_error("code %d, message %s", code, message)
- # using _quote_html to prevent Cross Site Scripting attacks (see bug #1100201)
- content = (self.error_message_format % {'code': code, 'message': _quote_html(message),
- 'explain': explain}).encode('utf-8', 'replace')
+ # HTML encode to prevent Cross Site Scripting attacks (see bug #1100201)
+ content = (self.error_message_format % {
+ 'code': code,
+ 'message': html.escape(message, quote=False),
+ 'explain': explain
+ }).encode('utf-8', 'replace')
self.send_response(code, message)
self.send_header("Content-Type", self.error_content_type)
self.send_header("Content-Length", str(len(content)))
|
