From d1e4e123cc88b5ec1bdaf035efe299d690b15c0a Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Wed, 1 Oct 2025 10:07:15 -0500 Subject: [PATCH 1/5] Add warning about lack of validation for `xml.sax.saxutils.XMLGenerator` --- Doc/library/xml.sax.utils.rst | 7 +++++++ .../2025-10-01-10-06-52.gh-issue-139478.AdnsbB.rst | 1 + 2 files changed, 8 insertions(+) create mode 100644 Misc/NEWS.d/next/Documentation/2025-10-01-10-06-52.gh-issue-139478.AdnsbB.rst diff --git a/Doc/library/xml.sax.utils.rst b/Doc/library/xml.sax.utils.rst index 5ee11d58c3dd26..fee5465f6a7033 100644 --- a/Doc/library/xml.sax.utils.rst +++ b/Doc/library/xml.sax.utils.rst @@ -61,6 +61,13 @@ or as base classes. .. class:: XMLGenerator(out=None, encoding='iso-8859-1', short_empty_elements=False) + .. warning:: + :class:`~xml.sax.handler.XMLGenerator` does not validate element or + attribute names. Callers must ensure that names passed to APIs conform + to `XML name rules `__ if passing + untrusted input. Character data and attribute values are escaped, + but not validated. + This class implements the :class:`~xml.sax.handler.ContentHandler` interface by writing SAX events back into an XML document. In other words, using an :class:`XMLGenerator` diff --git a/Misc/NEWS.d/next/Documentation/2025-10-01-10-06-52.gh-issue-139478.AdnsbB.rst b/Misc/NEWS.d/next/Documentation/2025-10-01-10-06-52.gh-issue-139478.AdnsbB.rst new file mode 100644 index 00000000000000..df50e61915d415 --- /dev/null +++ b/Misc/NEWS.d/next/Documentation/2025-10-01-10-06-52.gh-issue-139478.AdnsbB.rst @@ -0,0 +1 @@ +Add warning about lack of validation for ``xml.sax.saxutils.XMLGenerator``. From 87080f7c4ea00f930cceb35ed92ec9671f32186a Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Wed, 1 Oct 2025 15:23:57 +0000 Subject: [PATCH 2/5] Commit suggestion from code review Co-authored-by: Stan Ulbrych <89152624+StanFromIreland@users.noreply.github.com> --- Doc/library/xml.sax.utils.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Doc/library/xml.sax.utils.rst b/Doc/library/xml.sax.utils.rst index fee5465f6a7033..77c6fdb58141d2 100644 --- a/Doc/library/xml.sax.utils.rst +++ b/Doc/library/xml.sax.utils.rst @@ -62,7 +62,7 @@ or as base classes. .. class:: XMLGenerator(out=None, encoding='iso-8859-1', short_empty_elements=False) .. warning:: - :class:`~xml.sax.handler.XMLGenerator` does not validate element or + :class:`!XMLGenerator` does not validate element or attribute names. Callers must ensure that names passed to APIs conform to `XML name rules `__ if passing untrusted input. Character data and attribute values are escaped, From e845206ed591c5d5811f7f87469fe052c57d7f24 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Wed, 1 Oct 2025 15:26:50 +0000 Subject: [PATCH 3/5] Commit suggestion from code review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Bénédikt Tran <10796600+picnixz@users.noreply.github.com> --- .../2025-10-01-10-06-52.gh-issue-139478.AdnsbB.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Misc/NEWS.d/next/Documentation/2025-10-01-10-06-52.gh-issue-139478.AdnsbB.rst b/Misc/NEWS.d/next/Documentation/2025-10-01-10-06-52.gh-issue-139478.AdnsbB.rst index df50e61915d415..bf471c50cb1839 100644 --- a/Misc/NEWS.d/next/Documentation/2025-10-01-10-06-52.gh-issue-139478.AdnsbB.rst +++ b/Misc/NEWS.d/next/Documentation/2025-10-01-10-06-52.gh-issue-139478.AdnsbB.rst @@ -1 +1,2 @@ -Add warning about lack of validation for ``xml.sax.saxutils.XMLGenerator``. +:mod:`xml.sax.saxutils`: Add warning about lack of +validation for :class:`~xml.sax.saxutils.XMLGenerator`. From 4b4c15adc429d7bea606fb5aacbd158cdf06a2dc Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Wed, 1 Oct 2025 12:03:02 -0500 Subject: [PATCH 4/5] Move warning to be after description --- Doc/library/xml.sax.utils.rst | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/Doc/library/xml.sax.utils.rst b/Doc/library/xml.sax.utils.rst index 77c6fdb58141d2..63911e921650c5 100644 --- a/Doc/library/xml.sax.utils.rst +++ b/Doc/library/xml.sax.utils.rst @@ -61,13 +61,6 @@ or as base classes. .. class:: XMLGenerator(out=None, encoding='iso-8859-1', short_empty_elements=False) - .. warning:: - :class:`!XMLGenerator` does not validate element or - attribute names. Callers must ensure that names passed to APIs conform - to `XML name rules `__ if passing - untrusted input. Character data and attribute values are escaped, - but not validated. - This class implements the :class:`~xml.sax.handler.ContentHandler` interface by writing SAX events back into an XML document. In other words, using an :class:`XMLGenerator` @@ -78,6 +71,13 @@ or as base classes. content: if ``False`` (the default) they are emitted as a pair of start/end tags, if set to ``True`` they are emitted as a single self-closed tag. + .. warning:: + :class:`!XMLGenerator` does not validate element or + attribute names. Callers must ensure that names passed to APIs conform + to `XML name rules `__ if passing + untrusted input. Character data and attribute values are escaped, + but not validated. + .. versionchanged:: 3.2 Added the *short_empty_elements* parameter. From cbe0c127022332ac32eeabc9ada39290f1350345 Mon Sep 17 00:00:00 2001 From: Seth Michael Larson Date: Wed, 1 Oct 2025 14:14:11 -0500 Subject: [PATCH 5/5] Change security warning to note about intended usage --- Doc/library/xml.sax.utils.rst | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/Doc/library/xml.sax.utils.rst b/Doc/library/xml.sax.utils.rst index 63911e921650c5..2df9d0542f50a3 100644 --- a/Doc/library/xml.sax.utils.rst +++ b/Doc/library/xml.sax.utils.rst @@ -71,12 +71,10 @@ or as base classes. content: if ``False`` (the default) they are emitted as a pair of start/end tags, if set to ``True`` they are emitted as a single self-closed tag. - .. warning:: - :class:`!XMLGenerator` does not validate element or - attribute names. Callers must ensure that names passed to APIs conform - to `XML name rules `__ if passing - untrusted input. Character data and attribute values are escaped, - but not validated. + .. note:: + :class:`!XMLGenerator` is only intended to be used as a ``handler`` + with SAX parser functions from the :mod:`!xml.sax` module. Using XMLGenerator + on untrusted user inputs is not the intended use. .. versionchanged:: 3.2 Added the *short_empty_elements* parameter.