From 78de01198b047347abc5e458851bb12c48429e24 Mon Sep 17 00:00:00 2001
From: Xtreak <tir.karthi@gmail.com>
Date: Sat, 29 Dec 2018 14:23:14 +0530
Subject: bpo-35603: Escape table header of make_table output that can cause
 potential XSS. (GH-11341)

---
 Lib/difflib.py | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'Lib/difflib.py')

diff --git a/Lib/difflib.py b/Lib/difflib.py
index 887c3c26ca..4571817b98 100644
--- a/Lib/difflib.py
+++ b/Lib/difflib.py
@@ -2036,6 +2036,10 @@ class HtmlDiff(object):
                 s.append( fmt % (next_id[i],next_href[i],fromlist[i],
                                            next_href[i],tolist[i]))
         if fromdesc or todesc:
+            fromdesc = fromdesc.replace("&", "&amp;").replace(">", "&gt;") \
+                                                     .replace("<", "&lt;")
+            todesc = todesc.replace("&", "&amp;").replace(">", "&gt;") \
+                                                 .replace("<", "&lt;")
             header_row = '<thead><tr>%s%s%s%s</tr></thead>' % (
                 '<th class="diff_next"><br /></th>',
                 '<th colspan="2" class="diff_header">%s</th>' % fromdesc,
-- 
cgit v1.2.1