Skip to content

[3.12] gh-135661: Fix CDATA section parsing in HTMLParser (GH-135665) #137774

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: 3.12
Choose a base branch
from
Open

[3.12] gh-135661: Fix CDATA section parsing in HTMLParser (GH-135665) #137774

wants to merge 1 commit into from
+107 −8

Conversation

serhiy-storchaka
Copy link
Member

@serhiy-storchaka serhiy-storchaka commented Aug 14, 2025
edited
Loading

"] ]>" and "]] >" no longer end the CDATA section.

Make CDATA section parsing context depending.
Add private method HTMLParser._set_support_cdata() to change the context. If called with True, "<[CDATA[" starts a CDATA section which ends with "]]>". If called with False, "<[CDATA[" starts a bogus comments which ends with ">".

(cherry picked from commit 0cbbfc4)

@serhiy-storchaka
[3.12] pythongh-135661: Fix CDATA section parsing in HTMLParser (pyth…
8bd8188 
…onGH-135665)

"] ]>" and "]] >" no longer end the CDATA section.

Make CDATA section parsing  context depending.
Add private method HTMLParser._set_support_cdata() to change the context.
If called with True, "<[CDATA[" starts a CDATA section which ends with "]]>".
If called with False, "<[CDATA[" starts a bogus comments which ends with ">".
(cherry picked from commit 0cbbfc4)

Co-authored-by: Serhiy Storchaka <storchaka@gmail.com>
@serhiy-storchaka serhiy-storchaka added needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes labels Aug 14, 2025
@bedevere-app bedevere-app bot mentioned this pull request Aug 14, 2025
Open
@bedevere-app bedevere-app bot added the type-security A security issue label Aug 14, 2025
@bedevere-app bedevere-app bot mentioned this pull request Aug 14, 2025
Merged
@serhiy-storchaka
Copy link
Member Author

Backports to 3.9-3.11 will be created from the 3.12 backport.

@serhiy-storchaka serhiy-storchaka added needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes and removed needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes labels Aug 14, 2025
@serhiy-storchaka
Copy link
Member Author

This code slightly differs from main. Unknown declarations (including CDATA) call handle_decl() instead of handle_comment() if they end with "]>". This is for larger compatibility with old code. But the first ">" ends them, according to the HTML specs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ezio-melotti ezio-melotti ezio-melotti approved these changes

Assignees
No one assigned
Labels
awaiting merge needs backport to 3.9 only security fixes needs backport to 3.10 only security fixes needs backport to 3.11 only security fixes type-security A security issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@serhiy-storchaka @ezio-melotti