gh-149489: Fix ElementTree serialization to HTML#149490
Conversation
serhiy-storchaka
added
needs backport to 3.13
* The content of comments, processing instructions and elements "xmp", "iframe", "noembed", "noframes", and "plaintext" is no longer escaped. * The "plaintext" element no longer have the closing tag. * Add support of empty attributes (with value None).
serhiy-storchaka
force-pushed
the
xml-etree-serialize-html
branch
from
9f169a8 to
e41d61c
Compare
|
Updating to fix some errors we introduced on the main branch. |
StanFromIreland
added
the
needs backport to 3.15
|
I'm not done with the review yet, but I find it risky to silently change output in a point release like 3.1[34].x. If we change this, it's probably still fine for 3.15, but I'd rather see the maintenance releases excluded. |
|
Well, the fix for XML was applied to 2.7 and 3.2 and was not backported to 2.6 and 3.1. It introduces a risk of XML/HTML injection if the comment content was not previously sanitized. See #149468. |
Well, yes. If we remove the current escaping, then we leave user code unprotected. Definitely not something that users should expect from a point release. |
|
Test failures are related to #149571. |
There was a problem hiding this comment.
- It would be good to add some comments to clearly state the intent of the tests (e.g. comments shouldn't be excaped, comments are omitted in text serialization, empty attrs only work in html, etc.).
- Is there any reason why the there are 3 similar but different test strings (
'<spam> & ham','ham & eggs < spam','<spam>&ham')?
Co-authored-by: Ezio Melotti <ezio.melotti@gmail.com>
|
Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14, 3.15. |
serhiy-storchaka
removed
needs backport to 3.13
serhiy-storchaka
removed
the
needs backport to 3.15
|
GH-150592 is a backport of this pull request to the 3.15 branch. |
|
GH-150593 is a backport of this pull request to the 3.14 branch. |
|
GH-150594 is a backport of this pull request to the 3.13 branch. |
serhiy-storchaka
added
the
needs backport to 3.15
|
Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.15. |
* The content of comments, processing instructions and elements "xmp", "iframe", "noembed", "noframes", and "plaintext" is no longer escaped. * The "plaintext" element no longer have the closing tag. * Add support of empty attributes (with value None). (cherry picked from commit bcd29e4) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
Sorry @serhiy-storchaka, I had trouble completing the backport. |
serhiy-storchaka
added
needs backport to 3.15
|
Thanks @serhiy-storchaka for the PR 🌮🎉.. I'm working now to backport this PR to: 3.15. |
* The content of comments, processing instructions and elements "xmp", "iframe", "noembed", "noframes", and "plaintext" is no longer escaped. * The "plaintext" element no longer have the closing tag. * Add support of empty attributes (with value None). (cherry picked from commit bcd29e4) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
Sorry @serhiy-storchaka, I had trouble completing the backport. |
|
GH-150595 is a backport of this pull request to the 3.15 branch. |
bedevere-app
Bot
removed
the
needs backport to 3.15
…GH-149490) (pythonGH-150595) * The content of elements "xmp", "iframe", "noembed", "noframes", and "plaintext" is no longer escaped. * The "plaintext" element no longer have the closing tag. (cherry picked from commit bcd29e4) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
…GH-149490) * The content of elements "xmp", "iframe", "noembed", "noframes", and "plaintext" is no longer escaped. * The "plaintext" element no longer have the closing tag. (cherry picked from commit bcd29e4) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
|
GH-150596 is a backport of this pull request to the 3.14 branch. |
…H-150596) (GH-150609) * The content of elements "xmp", "iframe", "noembed", "noframes", and "plaintext" is no longer escaped. * The "plaintext" element no longer have the closing tag. (cherry picked from commit c42e6d3) (cherry picked from commit bcd29e4) Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
| if tag is Comment: | ||
| write("<!--%s-->" % _escape_cdata(text)) | ||
| write("<!--%s-->" % text) |
There was a problem hiding this comment.
I'm a bit late to the party, but what happens if text contains -->? Shouldn't this be escaped (if there's a way to escape it, I don't think so 🤔) or probably instead be rejected altogether?
| write("<!--%s-->" % text) | ||
| elif tag is ProcessingInstruction: | ||
| write("<?%s?>" % _escape_cdata(text)) | ||
| write("<?%s?>" % text) |
There was a problem hiding this comment.
I guess same question here -- what if text contains ?>?
Yes, that was my concern in #149490 (comment) as well. Note that this part of the changes was not backported and will only appear in 3.15+. The HTML5 spec is explicit about what is not allowed in comments: It's not clear about what is allowed in processing instructions, but that probably just means that I think it's worth rejecting non well-formed text. lxml does it in the API when creating a |
5 participants
Uh oh!
There was an error while loading. Please reload this page.