From 84bb41a91f71ef6d3e2acfb09232f4e26c7c4421 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Mon, 15 May 2017 17:27:48 +0200 Subject: [PATCH] metadata: switch from deprecated cgi.escape to html.escape cgi.escape is deprecated in Python 3.x and has security issues: https://bugs.python.org/issue26398 html.escape() differs from cgi.escape() by its defaults to quote=True: s = html.escape( """& < " ' >""" ) # s = '& < " ' >' --- fdroidserver/metadata.py | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/fdroidserver/metadata.py b/fdroidserver/metadata.py index c650ddbc..301a2de0 100644 --- a/fdroidserver/metadata.py +++ b/fdroidserver/metadata.py @@ -21,7 +21,7 @@ import json import os import re import glob -import cgi +import html import logging import textwrap import io @@ -492,10 +492,10 @@ class DescriptionFormatter: self.laststate = self.state self.state = self.stNONE - def formatted(self, txt, html): + def formatted(self, txt, htmlbody): res = '' - if html: - txt = cgi.escape(txt) + if htmlbody: + txt = html.escape(txt, quote=False) while True: index = txt.find("''") if index == -1: @@ -503,7 +503,7 @@ class DescriptionFormatter: res += txt[:index] txt = txt[index:] if txt.startswith("'''"): - if html: + if htmlbody: if self.bold: res += '' else: @@ -511,7 +511,7 @@ class DescriptionFormatter: self.bold = not self.bold txt = txt[3:] else: - if html: + if htmlbody: if self.ital: res += '' else: @@ -538,7 +538,7 @@ class DescriptionFormatter: url, urltext = self.linkResolver(url) else: urltext = url - res_html += '' + cgi.escape(urltext) + '' + res_html += '' + html.escape(urltext, quote=False) + '' res_plain += urltext txt = txt[index + 2:] else: @@ -554,7 +554,7 @@ class DescriptionFormatter: url = url[:index2] if url == urltxt: warn_or_exception("Url title is just the URL - use [url]") - res_html += '' + cgi.escape(urltxt) + '' + res_html += '' + html.escape(urltxt, quote=False) + '' res_plain += urltxt if urltxt != url: res_plain += ' (' + url + ')' -- 2.30.2