Merge pull request astanin#26 from westurner/25_htmlescape_cells

astanin · web-flow · commit 3de721a3f456 · 2019-12-19T13:26:52.000Z
BUG,SEC: html.escape cells to prevent XSS (astanin#25)
diff --git a/tabulate.py b/tabulate.py
@@ -55,6 +55,11 @@ def _is_file(f):
 except ImportError:
     wcwidth = None
 
+try:
+    from html import escape as htmlescape
+except ImportError:
+    from cgi import escape as htmlescape
+
 
 __all__ = ["tabulate", "tabulate_formats", "simple_separated_format"]
 __version__ = "0.8.7"
@@ -174,7 +179,7 @@ def _textile_row_with_attrs(cell_values, colwidths, colaligns):
 
 def _html_begin_table_without_header(colwidths_ignore, colaligns_ignore):
     # this table header will be suppressed if there is a header row
-    return "\n".join(["<table>", "<tbody>"])
+    return "<table>\n<tbody>"
 
 
 def _html_row_with_attrs(celltag, cell_values, colwidths, colaligns):
@@ -185,12 +190,13 @@ def _html_row_with_attrs(celltag, cell_values, colwidths, colaligns):
         "decimal": ' style="text-align: right;"',
     }
     values_with_attrs = [
-        "<{0}{1}>{2}</{0}>".format(celltag, alignment.get(a, ""), c)
+        "<{0}{1}>{2}</{0}>".format(celltag, alignment.get(a, ""),
+            htmlescape(c))
         for c, a in zip(cell_values, colaligns)
     ]
-    rowhtml = "<tr>" + "".join(values_with_attrs).rstrip() + "</tr>"
+    rowhtml = "<tr>{}</tr>".format("".join(values_with_attrs).rstrip())
     if celltag == "th":  # it's a header row, create a new table header
-        rowhtml = "\n".join(["<table>", "<thead>", rowhtml, "</thead>", "<tbody>"])
+        rowhtml = "<table>\n<thead>\n{}\n</thead>\n<tbody>".format(rowhtml)
     return rowhtml
 
 
diff --git a/test/test_output.py b/test/test_output.py
@@ -897,22 +897,27 @@ def test_moinmoin_headerless():
     assert_equal(expected, result)
 
 
+_test_table_html_headers = ["<strings>", "<&numbers&>"]
+_test_table_html = [["spam >", 41.9999], ["eggs &", 451.0]]
+assert_equal.__self__.maxDiff = None
+
 def test_html():
     "Output: html with headers"
     expected = "\n".join(
         [
             "<table>",
             "<thead>",
-            '<tr><th>strings  </th><th style="text-align: right;">  numbers</th></tr>',
+            '<tr><th>&lt;strings&gt;  </th><th style="text-align: right;">  &lt;&amp;numbers&amp;&gt;</th></tr>',
             "</thead>",
             "<tbody>",
-            '<tr><td>spam     </td><td style="text-align: right;">  41.9999</td></tr>',
-            '<tr><td>eggs     </td><td style="text-align: right;"> 451     </td></tr>',
+            '<tr><td>spam &gt;     </td><td style="text-align: right;">      41.9999</td></tr>',
+            '<tr><td>eggs &amp;     </td><td style="text-align: right;">     451     </td></tr>',
             "</tbody>",
             "</table>",
         ]
     )
-    result = tabulate(_test_table, _test_table_headers, tablefmt="html")
+    result = tabulate(_test_table_html, _test_table_html_headers,
+            tablefmt="html")
     assert_equal(expected, result)
 
 
@@ -922,13 +927,13 @@ def test_html_headerless():
         [
             "<table>",
             "<tbody>",
-            '<tr><td>spam</td><td style="text-align: right;"> 41.9999</td></tr>',
-            '<tr><td>eggs</td><td style="text-align: right;">451     </td></tr>',
+            '<tr><td>spam &gt;</td><td style="text-align: right;"> 41.9999</td></tr>',
+            '<tr><td>eggs &amp;</td><td style="text-align: right;">451     </td></tr>',
             "</tbody>",
             "</table>",
         ]
     )
-    result = tabulate(_test_table, tablefmt="html")
+    result = tabulate(_test_table_html, tablefmt="html")
     assert_equal(expected, result)
 
 
