From 1264a0c2f4aae4ec7150f6a597a3745dd12bf7e7 Mon Sep 17 00:00:00 2001 From: liangxinyan Date: Thu, 31 Oct 2024 14:35:04 +0800 Subject: [PATCH] IssueNo: https://gitee.com/openharmony/third_party_jinja2/issues/IB133X Signed-off-by: liangxinyan --- filters.py | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) diff --git a/filters.py b/filters.py index c7ecc9b..8b09247 100755 --- a/filters.py +++ b/filters.py @@ -248,7 +248,9 @@ def do_items(value: t.Union[t.Mapping[K, V], Undefined]) -> t.Iterator[t.Tuple[K yield from value.items() -_space_re = re.compile(r"\s", flags=re.ASCII) +# Check for characters that would move the parser state from key to value. +# https://html.spec.whatwg.org/#attribute-name-state +_attr_key_re = re.compile(r"[\s/>=]", flags=re.ASCII) @pass_eval_context @@ -257,9 +259,14 @@ def do_xmlattr( ) -> str: """Create an SGML/XML attribute string based on the items in a dict. - If any key contains a space, this fails with a ``ValueError``. Values that - are neither ``none`` nor ``undefined`` are automatically escaped. + **Values** that are neither ``none`` nor ``undefined`` are automatically + escaped, safely allowing untrusted user input. + User input should not be used as **keys** to this filter. If any key + contains a space, ``/`` solidus, ``>`` greater-than sign, or ``=`` equals + sign, this fails with a ``ValueError``. Regardless of this, user input + should never be used as keys to this filter, or must be separately validated + first. .. sourcecode:: html+jinja `` greater-than sign, or ``=`` equals sign + are not allowed. + .. versionchanged:: 3.1.3 Keys with spaces are not allowed. """ @@ -287,8 +298,8 @@ def do_xmlattr( if value is None or isinstance(value, Undefined): continue - if _space_re.search(key) is not None: - raise ValueError(f"Spaces are not allowed in attributes: '{key}'") + if _attr_key_re.search(key) is not None: + raise ValueError(f"Invalid character in attribute name: {key!r}") items.append(f'{escape(key)}="{escape(value)}"') -- Gitee