gh-69426: only unescape properly terminated character entities in attribute values #95215
Next
Next commit
gh-69426: only unescape properly terminated character entities in att…
…ribute values
- Loading branch information
commit 71a89f98c31e2f1285221568de73fbc1e09ad84d
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -347,17 +347,17 @@ def test_convert_charrefs(self): | |
| self.assertTrue(collector().convert_charrefs) | ||
| charrefs = ['"', '"', '"', '"', '"', '"'] | ||
| # check charrefs in the middle of the text/attributes | ||
| expected = [('starttag', 'a', [('href', 'foo " zar')]), | ||
| ('data', 'a"z'), ('endtag', 'a')] | ||
| for charref in charrefs: | ||
| self._run_check('<a href="foo {0} zar">a{0}z</a>'.format(charref), | ||
| expected, collector=collector()) | ||
| # check charrefs at the beginning/end of the text | ||
| expected = [('data', '"'), | ||
| ('starttag', 'a', []), | ||
| ('data', '"'), ('endtag', 'a'), ('data', '"')] | ||
| for charref in charrefs: | ||
| self._run_check('{0}<a>' | ||
|
There was a problem hiding this comment. Changed the existing tests to remove flawed assumptions about how the unescaping in attribute values should work. There was a problem hiding this comment. It might be better to remove all attribute-related checks from this test, and move them in the next. |
||
| '{0}</a>{0}'.format(charref), | ||
| expected, collector=collector()) | ||
| # check charrefs in <script>/<style> elements | ||
|
|
@@ -380,6 +380,48 @@ def test_convert_charrefs(self): | |
| self._run_check('no charrefs here', [('data', 'no charrefs here')], | ||
| collector=collector()) | ||
|
|
||
| def test_convert_charrefs_in_attribute_values(self): | ||
| # default value for convert_charrefs is now True | ||
| collector = lambda: EventCollectorCharrefs() | ||
| self.assertTrue(collector().convert_charrefs) | ||
|
|
||
| # do unescape numeric and hex char refs | ||
| expected = [('starttag', 'a', | ||
| [('href', 'https://example.com?foo¢=bar¢&baz¢=bla¢')]), | ||
| ('endtag', 'a')] | ||
| self._run_check('<a href="https://example.com?foo¢=bar¢&baz¢=bla¢"></a>', expected, collector=collector()) | ||
|
|
||
| # do unescape entity matches not followed by ASCII alphanumeric | ||
| expected = [('starttag', 'a', | ||
| [('href', 'https://example.com?foo¢¢ ¢+¢')]), | ||
| ('endtag', 'a')] | ||
| self._run_check('<a href="https://example.com?foo¢¢ ¢+¢"></a>', expected, collector=collector()) | ||
|
|
||
| # do not unescape entity matches followed by ASCII alphanumeric | ||
| expected = [('starttag', 'a', | ||
| [('href', 'https://example.com?foo¢er¢123')]), | ||
| ('endtag', 'a')] | ||
| self._run_check('<a href="https://example.com?foo¢er¢123"></a>', expected, collector=collector()) | ||
|
|
||
| # do not unescape entity matches followed by equals | ||
| expected = [('starttag', 'a', | ||
| [('href', 'https://example.com?foo¢=123')]), | ||
| ('endtag', 'a')] | ||
| self._run_check('<a href="https://example.com?foo¢=123"></a>', expected, collector=collector()) | ||
|
|
||
| # do unescape terminated entity matches followed by equals | ||
| expected = [('starttag', 'a', | ||
| [('href', 'https://example.com?foo¢=123')]), | ||
| ('endtag', 'a')] | ||
| self._run_check('<a href="https://example.com?foo¢=123"></a>', expected, collector=collector()) | ||
|
There was a problem hiding this comment. If possible, it would be better to match the style of the previous test, creating different lists of charrefs (e.g. valid, invalid, named, numeric, etc.) and add them in different places in the attribute (beginning, end, before an alnum/space/semicolon/equal). Also try to keep the lines shorter than 80 chars (you can remove the initial part of the URLs, since they are not necessary). There was a problem hiding this comment. Thanks, looking at it combining multiple cases in a single attribute is indeed hard to read. I restructured the test to have two scenarios:
Both include cases for start, middle, end, as well as followed by alphanumeric, non-alphanumeric and equals sign. I hope it's a bit clearer now. Also updated formatting to respect the 80 char limit. |
||
|
|
||
| # do unescape char refs at begging and end of text attributes | ||
| charrefs = ['"', '"', '"', '"', '"', '"'] | ||
| expected = [('starttag', 'a', [('x', '"'), ('y', '"-X'), ('z', 'X-"')]), ('endtag', 'a')] | ||
| for charref in charrefs: | ||
| self._run_check('<a x="{0}" y="{0}-X" z="X-{0}"></a>'.format(charref), | ||
| expected, collector=collector()) | ||
|
There was a problem hiding this comment. Extracted this from |
||
|
|
||
| # the remaining tests were for the "tolerant" parser (which is now | ||
| # the default), and check various kind of broken markup | ||
| def test_tolerant_parsing(self): | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| Fix :class:`HTMLParser` to not unescape character entities in attribute | ||
| values if they are followed by an ASCII alphanumeric or an equals sign. |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This partially duplicates an existing Regex, but I was not able to reuse the existing one for this purpose.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since the issue only seems to affect named character references, is there a reason to include numeric charrefs too in this regex?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the new
_unescape_attrvalueis effectively a wrapper forhtml.escapethat only delegates tohtml.escapeif the attribute specific conditions are met. Since we still want to escape numeric and hex char refs in attributes, we need to include them in the regex.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be better to move this immediately after the definition of
entityrefandcharref. If we change one regexp, we will not forget to change the other.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done