Issue #26585: Eliminate _quote_html() and use html.escape(quote=False)

Patch by Xiang Zhang.
2026-01-04 14:32:21 +00:00 · 2016-04-11 00:40:08 +00:00 · 2016-04-11 00:40:08 +00:00 · da3bb38452
commit da3bb38452
parent 50ab1a3694
3 changed files with 40 additions and 9 deletions
--- a/Lib/test/test_httpservers.py
+++ b/Lib/test/test_httpservers.py
@ -344,7 +344,7 @@ def test_undecodable_filename(self):
        quotedname = urllib.parse.quote(filename, errors='surrogatepass')
        self.assertIn(('href="%s"' % quotedname)
                      .encode(enc, 'surrogateescape'), body)
-        self.assertIn(('>%s<' % html.escape(filename))
+        self.assertIn(('>%s<' % html.escape(filename, quote=False))
                      .encode(enc, 'surrogateescape'), body)
        response = self.request(self.base_url + '/' + quotedname)
        self.check_status_and_reason(response, HTTPStatus.OK,
@ -422,6 +422,27 @@ def test_path_without_leading_slash(self):
        self.assertEqual(response.getheader("Location"),
                         self.tempdir_name + "/?hi=1")

+    def test_html_escape_filename(self):
+        filename = '<test&>.txt'
+        fullpath = os.path.join(self.tempdir, filename)
+
+        try:
+            open(fullpath, 'w').close()
+        except OSError:
+            raise unittest.SkipTest('Can not create file %s on current file '
+                                    'system' % filename)
+
+        try:
+            response = self.request(self.base_url + '/')
+            body = self.check_status_and_reason(response, HTTPStatus.OK)
+            enc = response.headers.get_content_charset()
+        finally:
+            os.unlink(fullpath)  # avoid affecting test_undecodable_filename
+
+        self.assertIsNotNone(enc)
+        html_text = '>%s<' % html.escape(filename, quote=False)
+        self.assertIn(html_text.encode(enc), body)
+

 cgi_file1 = """\
 #!%s
@ -883,6 +904,13 @@ def test_too_many_headers(self):
        self.assertFalse(self.handler.get_called)
        self.assertEqual(self.handler.requestline, 'GET / HTTP/1.1')

+    def test_html_escape_on_error(self):
+        result = self.send_typical_request(
+            b'<script>alert("hello")</script> / HTTP/1.1')
+        result = b''.join(result)
+        text = '<script>alert("hello")</script>'
+        self.assertIn(html.escape(text, quote=False).encode('ascii'), result)
+
    def test_close_connection(self):
        # handle_one_request() should be repeatedly called until
        # it sets close_connection