Skip to content

gh-149489: Fix ElementTree serialization to HTML#149490

Open
serhiy-storchaka wants to merge 2 commits intopython:mainfrom
serhiy-storchaka:xml-etree-serialize-html
Open

gh-149489: Fix ElementTree serialization to HTML#149490
serhiy-storchaka wants to merge 2 commits intopython:mainfrom
serhiy-storchaka:xml-etree-serialize-html

Conversation

@serhiy-storchaka
Copy link
Copy Markdown
Member

@serhiy-storchaka serhiy-storchaka commented May 7, 2026
edited by bedevere-app Bot
Loading

  • The content of comments, processing instructions and elements "xmp", "iframe", "noembed", "noframes", and "plaintext" is no longer escaped.
  • The "plaintext" element no longer have the closing tag.
  • Add support of empty attributes (with value None).

@bedevere-app bedevere-app Bot mentioned this pull request May 7, 2026
Open
@serhiy-storchaka serhiy-storchaka added needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes labels May 7, 2026
@serhiy-storchaka
pythongh-149489: Fix ElementTree serialization to HTML
e41d61c 
* The content of comments, processing instructions and elements "xmp",
  "iframe", "noembed", "noframes", and "plaintext" is no longer escaped.
* The "plaintext" element no longer have the closing tag.
* Add support of empty attributes (with value None).
@serhiy-storchaka serhiy-storchaka force-pushed the xml-etree-serialize-html branch from 9f169a8 to e41d61c Compare May 7, 2026 17:22
@serhiy-storchaka serhiy-storchaka mentioned this pull request May 7, 2026
Open
@StanFromIreland
Copy link
Copy Markdown
Member

StanFromIreland commented May 7, 2026

Updating to fix some errors we introduced on the main branch.

@StanFromIreland StanFromIreland added the needs backport to 3.15 pre-release feature fixes, bugs and security fixes label May 7, 2026
@scoder
Copy link
Copy Markdown
Contributor

scoder commented May 8, 2026

I'm not done with the review yet, but I find it risky to silently change output in a point release like 3.1[34].x. If we change this, it's probably still fine for 3.15, but I'd rather see the maintenance releases excluded.

@serhiy-storchaka
Copy link
Copy Markdown
Member Author

serhiy-storchaka commented May 8, 2026

Well, the fix for XML was applied to 2.7 and 3.2 and was not backported to 2.6 and 3.1. It introduces a risk of XML/HTML injection if the comment content was not previously sanitized. See #149468.

@scoder
Copy link
Copy Markdown
Contributor

scoder commented May 8, 2026

The content of comments, processing instructions and elements "xmp", "iframe", "noembed", "noframes", and "plaintext" is no longer escaped.
[...] It introduces a risk of XML/HTML injection if the comment content was not previously sanitized.

Well, yes. If we remove the current escaping, then we leave user code unprotected. Definitely not something that users should expect from a point release.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ezio-melotti ezio-melotti Awaiting requested review from ezio-melotti

@scoder scoder Awaiting requested review from scoder

Assignees

No one assigned

Labels

awaiting core review needs backport to 3.13 bugs and security fixes needs backport to 3.14 bugs and security fixes needs backport to 3.15 pre-release feature fixes, bugs and security fixes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@serhiy-storchaka @StanFromIreland @scoder