search

pallets / markupsafe

Safely add untrusted strings to HTML/XML markup.
https://markupsafe.palletsprojects.com
BSD 3-Clause "New" or "Revised" License
629 stars 155 forks source link

`escape()` fails with certain `str` subclasses #472

Open sgfost opened 2 days ago

sgfost commented 2 days ago

I have a very similar issue to #467, however it is one that persists after the 3.0.1 patch.

Essentially what is happening is that str subclasses which override __str__() are no longer (since 2.1.5) handled in the same way

I encountered this with django's SafeString, however for the purpose of repro I have a simpler example below:

from markupsafe import _escape_inner

class NewString(str):
  def __str__(self):
    return self

s = NewString("abc")
_escape_inner(s)

output:

---------------------------------------------------------------------------
SystemError                               Traceback (most recent call last)
Cell In[4], line 1
----> 1 _escape_inner(s)

SystemError: <built-in function _escape_inner> returned NULL without setting an exception

Environment:

davidism commented 2 days ago

A similar thing to the previous issue is happening. The object isn't a direct str, so it goes to the str(o) path, which results in the same object, still not a str. So the C code still gets unexpected data.

karolyi commented 1 hour ago

+1, I too am encountering this bug.