From 79b6f2c5b408ba5c95714a10909ff1f6e8ebe2b7 Mon Sep 17 00:00:00 2001
From: duzhihao <duzhihao2@huawei.com>
Date: Wed, 6 Mar 2024 14:54:11 +0800
Subject: [PATCH] =?UTF-8?q?Decription:=20=E3=80=90Bugfix=E3=80=91=20?=
 =?UTF-8?q?=E3=80=90master=E3=80=91=20CVE-2024-22195=20modify.=20IssueNo:?=
 =?UTF-8?q?=20https://gitee.com/openharmony/third=5Fparty=5Fjinja2/issues/?=
 =?UTF-8?q?I960CJ=3Ffrom=3Dproject-issue=20Feature=20or=20Bugfix:=20Bugfix?=
 =?UTF-8?q?=20Binary=20Source:=20No?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: duzhihao <duzhihao2@huawei.com>
---
 filters.py | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/filters.py b/filters.py
index ed07c4c..c7ecc9b 100755
--- a/filters.py
+++ b/filters.py
@@ -248,13 +248,17 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K
     yield from value.items()
 
 
+_space_re = re.compile(r"\s", flags=re.ASCII)
+
+
 @pass_eval_context
 def do_xmlattr(
     eval_ctx: "EvalContext", d: t.Mapping[str, t.Any], autospace: bool = True
 ) -> str:
     """Create an SGML/XML attribute string based on the items in a dict.
-    All values that are neither `none` nor `undefined` are automatically
-    escaped:
+
+    If any key contains a space, this fails with a ``ValueError``. Values that
+    are neither ``none`` nor ``undefined`` are automatically escaped.
 
     .. sourcecode:: html+jinja
 
@@ -273,12 +277,22 @@ def do_xmlattr(
 
     As you can see it automatically prepends a space in front of the item
     if the filter returned something unless the second parameter is false.
+
+    .. versionchanged:: 3.1.3
+        Keys with spaces are not allowed.
     """
-    rv = " ".join(
-        f'{escape(key)}="{escape(value)}"'
-        for key, value in d.items()
-        if value is not None and not isinstance(value, Undefined)
-    )
+    items = []
+
+    for key, value in d.items():
+        if value is None or isinstance(value, Undefined):
+            continue
+
+        if _space_re.search(key) is not None:
+            raise ValueError(f"Spaces are not allowed in attributes: '{key}'")
+
+        items.append(f'{escape(key)}="{escape(value)}"')
+
+    rv = " ".join(items)
 
     if autospace and rv:
         rv = " " + rv
-- 
Gitee