From 52f2a593c58e1a1e46fccdb28ab98f0ab53775dc Mon Sep 17 00:00:00 2001
From: Dong-hee Na <donghee.na92@gmail.com>
Date: Wed, 25 Sep 2019 11:21:18 +0900
Subject: [PATCH 1/5] bpo-38243: Escape the server_title of DocXMLRPCServer
 when rendering

---
 Lib/xmlrpc/server.py                                           | 3 ++-
 .../next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst     | 2 ++
 2 files changed, 4 insertions(+), 1 deletion(-)
 create mode 100644 Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst

diff --git a/Lib/xmlrpc/server.py b/Lib/xmlrpc/server.py
index f1c467eb1b2b87..32aba4df4c7eb5 100644
--- a/Lib/xmlrpc/server.py
+++ b/Lib/xmlrpc/server.py
@@ -108,6 +108,7 @@ def export_add(self, x, y):
 from http.server import BaseHTTPRequestHandler
 from functools import partial
 from inspect import signature
+import html
 import http.server
 import socketserver
 import sys
@@ -894,7 +895,7 @@ def generate_html_documentation(self):
                                 methods
                             )
 
-        return documenter.page(self.server_title, documentation)
+        return documenter.page(html.escape(self.server_title), documentation)
 
 class DocXMLRPCRequestHandler(SimpleXMLRPCRequestHandler):
     """XML-RPC and documentation request handler class.
diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
new file mode 100644
index 00000000000000..7dc5b6cfc382a6
--- /dev/null
+++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
@@ -0,0 +1,2 @@
+Escape the server_title of :class:`DocXMLRPCServer` when rendering the
+document page. (Contributed by Dong-hee Na in :issue:`38243`.)

From 10d2f0b654f4ffba90a6c1d7b433092e6ec81fb8 Mon Sep 17 00:00:00 2001
From: Dong-hee Na <donghee.na92@gmail.com>
Date: Thu, 26 Sep 2019 22:14:39 +0900
Subject: [PATCH 2/5] bpo-38243: Update unittest

---
 Lib/test/test_docxmlrpc.py | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
index 116e626740df85..5160c28ef6457c 100644
--- a/Lib/test/test_docxmlrpc.py
+++ b/Lib/test/test_docxmlrpc.py
@@ -1,5 +1,6 @@
 from xmlrpc.server import DocXMLRPCServer
 import http.client
+import re
 import sys
 import threading
 import unittest
@@ -193,5 +194,27 @@ def test_annotations(self):
             response.read())
 
 
+class XMLRPCDocGeneratorTest(unittest.TestCase):
+    def setUp(self):
+        self.serv = DocXMLRPCServer(("localhost", 0), logRequests=False)
+
+    def tearDown(self):
+        self.serv.server_close()
+
+    def test_server_title_escape(self):
+        self.serv.set_server_title('test_title<script>')
+        self.serv.set_server_documentation('test_documentation<script>')
+        self.assertEqual('test_title<script>', self.serv.server_title)
+        self.assertEqual('test_documentation<script>',
+                self.serv.server_documentation)
+
+        # bpo-38243
+        generated = self.serv.generate_html_documentation()
+        title = re.search(r'<title>(.+?)</title>', generated).group()
+        documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
+        self.assertEqual('<title>Python: test_title&lt;script&gt;</title>', title)
+        self.assertEqual('<p><tt>test_documentation&lt;script&gt;</tt></p>', documentation)
+
+
 if __name__ == '__main__':
     unittest.main()

From 2a992a99d54493fb153be6b10d7757263a8cc0ae Mon Sep 17 00:00:00 2001
From: Dong-hee Na <donghee.na92@gmail.com>
Date: Fri, 27 Sep 2019 17:55:04 +0900
Subject: [PATCH 3/5] bpo-38243: Update unittest

---
 Lib/test/test_docxmlrpc.py | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
index 5160c28ef6457c..813cd26ee800ed 100644
--- a/Lib/test/test_docxmlrpc.py
+++ b/Lib/test/test_docxmlrpc.py
@@ -193,14 +193,6 @@ def test_annotations(self):
              b'method_annotation</strong></a>(x: bytes)</dt></dl>'),
             response.read())
 
-
-class XMLRPCDocGeneratorTest(unittest.TestCase):
-    def setUp(self):
-        self.serv = DocXMLRPCServer(("localhost", 0), logRequests=False)
-
-    def tearDown(self):
-        self.serv.server_close()
-
     def test_server_title_escape(self):
         self.serv.set_server_title('test_title<script>')
         self.serv.set_server_documentation('test_documentation<script>')

From 3a8f7a7c55da5c644b92978f94043e31a3147104 Mon Sep 17 00:00:00 2001
From: Dong-hee Na <donghee.na92@gmail.com>
Date: Fri, 27 Sep 2019 22:31:43 +0900
Subject: [PATCH 4/5] bpo-38243: Reflect the vstinner's review

---
 Lib/test/test_docxmlrpc.py                                    | 3 ++-
 .../next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst    | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/Lib/test/test_docxmlrpc.py b/Lib/test/test_docxmlrpc.py
index 813cd26ee800ed..7d3e30cbee964a 100644
--- a/Lib/test/test_docxmlrpc.py
+++ b/Lib/test/test_docxmlrpc.py
@@ -194,13 +194,14 @@ def test_annotations(self):
             response.read())
 
     def test_server_title_escape(self):
+        # bpo-38243: Ensure that the server title and documentation
+        # are escaped for HTML.
         self.serv.set_server_title('test_title<script>')
         self.serv.set_server_documentation('test_documentation<script>')
         self.assertEqual('test_title<script>', self.serv.server_title)
         self.assertEqual('test_documentation<script>',
                 self.serv.server_documentation)
 
-        # bpo-38243
         generated = self.serv.generate_html_documentation()
         title = re.search(r'<title>(.+?)</title>', generated).group()
         documentation = re.search(r'<p><tt>(.+?)</tt></p>', generated).group()
diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
index 7dc5b6cfc382a6..e144c753207a8d 100644
--- a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
@@ -1,2 +1,2 @@
-Escape the server_title of :class:`DocXMLRPCServer` when rendering the
-document page. (Contributed by Dong-hee Na in :issue:`38243`.)
+Escape the server title of :class:`DocXMLRPCServer` when rendering the
+document page as HTML. (Contributed by Dong-hee Na in :issue:`38243`.)

From 2b2093ce999cc56f8e5700d2e0943a94530194e6 Mon Sep 17 00:00:00 2001
From: Dong-hee Na <donghee.na92@gmail.com>
Date: Fri, 27 Sep 2019 23:05:36 +0900
Subject: [PATCH 5/5] bpo-38243: Update misc news

---
 .../next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst   | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
index e144c753207a8d..98d7be129573a6 100644
--- a/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
+++ b/Misc/NEWS.d/next/Security/2019-09-25-13-21-09.bpo-38243.1pfz24.rst
@@ -1,2 +1,3 @@
-Escape the server title of :class:`DocXMLRPCServer` when rendering the
-document page as HTML. (Contributed by Dong-hee Na in :issue:`38243`.)
+Escape the server title of :class:`xmlrpc.server.DocXMLRPCServer`
+when rendering the document page as HTML.
+(Contributed by Dong-hee Na in :issue:`38243`.)