From 13514f594de772d0e870ff680529d402b2ba8866 Mon Sep 17 00:00:00 2001
From: Serhiy Storchaka <storchaka@gmail.com>
Date: Sat, 29 Dec 2018 17:42:05 +0200
Subject: [PATCH] Revert "bpo-35603: Escape table header of make_table output
 that can cause potential XSS. (GH-11341)"

This reverts commit 78de01198b047347abc5e458851bb12c48429e24.
---
 Lib/difflib.py                                           | 4 ----
 Lib/test/test_difflib.py                                 | 9 ---------
 .../Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst     | 2 --
 3 files changed, 15 deletions(-)
 delete mode 100644 Misc/NEWS.d/next/Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst

diff --git a/Lib/difflib.py b/Lib/difflib.py
index 4571817b9823b0..887c3c26cae458 100644
--- a/Lib/difflib.py
+++ b/Lib/difflib.py
@@ -2036,10 +2036,6 @@ def make_table(self,fromlines,tolines,fromdesc='',todesc='',context=False,
                 s.append( fmt % (next_id[i],next_href[i],fromlist[i],
                                            next_href[i],tolist[i]))
         if fromdesc or todesc:
-            fromdesc = fromdesc.replace("&", "&amp;").replace(">", "&gt;") \
-                                                     .replace("<", "&lt;")
-            todesc = todesc.replace("&", "&amp;").replace(">", "&gt;") \
-                                                 .replace("<", "&lt;")
             header_row = '<thead><tr>%s%s%s%s</tr></thead>' % (
                 '<th class="diff_next"><br /></th>',
                 '<th colspan="2" class="diff_header">%s</th>' % fromdesc,
diff --git a/Lib/test/test_difflib.py b/Lib/test/test_difflib.py
index 63ebdb0dc83b17..745ccbd6659ed5 100644
--- a/Lib/test/test_difflib.py
+++ b/Lib/test/test_difflib.py
@@ -238,15 +238,6 @@ def test_html_diff(self):
         with open(findfile('test_difflib_expect.html')) as fp:
             self.assertEqual(actual, fp.read())
 
-    def test_make_table_escape_table_header(self):
-        html_diff = difflib.HtmlDiff()
-        output = html_diff.make_table(patch914575_from1.splitlines(),
-                                      patch914575_to1.splitlines(),
-                                      fromdesc='<from>',
-                                      todesc='<to>')
-        self.assertIn('&lt;from&gt;', output)
-        self.assertIn('&lt;to&gt;', output)
-
     def test_recursion_limit(self):
         # Check if the problem described in patch #1413711 exists.
         limit = sys.getrecursionlimit()
diff --git a/Misc/NEWS.d/next/Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst b/Misc/NEWS.d/next/Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst
deleted file mode 100644
index 03150c3aa494d9..00000000000000
--- a/Misc/NEWS.d/next/Library/2018-12-28-14-53-22.bpo-35603.rVCZAE.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-Escape table header output of :meth:`difflib.HtmlDiff.make_table`.
-Patch by Karthikeyan Singaravelan.