Check also for surrogates in HTML.

serhiy-storchaka · serhiy-storchaka · commit e12e88d698c8 · 2026-05-31T13:49:58.000+03:00
diff --git a/Lib/test/test_xml_etree.py b/Lib/test/test_xml_etree.py
@@ -1400,6 +1400,10 @@ def check_valid(self, elem, expected):
     def test_invalid_comment(self):
         self.check(ET.Comment('a--b'))
         self.check(ET.Comment(' B+, B, or B-'))
+        self.check(ET.Comment('\x00'))
+        self.check(ET.Comment('\x01'))
+        self.check(ET.Comment('\ud8ff'))
+        self.check(ET.Comment('\ufffe'))
 
     def test_invalid_processing_instruction(self):
         self.check(ET.PI(''))
@@ -1412,6 +1416,7 @@ def test_invalid_processing_instruction(self):
         self.check(ET.PI('xml', 'encoding="UTF-8"'))
         self.check(ET.PI('foo', 'a?>b'))
         self.check(ET.PI('foo', '\x00'))
+        self.check(ET.PI('foo', '\x01'))
         self.check(ET.PI('foo', '\ud8ff'))
         self.check(ET.PI('foo', '\ufffe'))
 
@@ -1500,10 +1505,12 @@ def test_invalid_comment(self):
         self.check(ET.Comment('a-->b'))
         self.check(ET.Comment('a--!>b'))
         self.check(ET.Comment('a\x00b'))
+        self.check(ET.Comment('a\ud8ffb'))
 
     def test_invalid_processing_instruction(self):
         self.check(ET.PI('a>b'))
         self.check(ET.PI('a\x00b'))
+        self.check(ET.PI('a\ud8ffb'))
 
     def test_invalid_tag(self):
         self.check(ET.Element(''))
@@ -1516,37 +1523,50 @@ def test_invalid_tag(self):
         self.check(ET.Element('a/b'))
         self.check(ET.Element('a>b'))
         self.check(ET.Element('a\x00b'))
+        self.check(ET.Element('a\ud8ffb'))
         self.check(ET.Element(ET.QName('')))
         self.check(ET.Element(ET.QName('0')))
         self.check(ET.Element(ET.QName('a/b')))
 
     def test_invalid_attr_name(self):
         self.check(ET.Element('tag', attrib={'': 'value'}))
+        self.check(ET.Element('tag', attrib={'\x00': 'value'}))
+        self.check(ET.Element('tag', attrib={'\ud8ff': 'value'}))
         self.check(ET.Element('tag', attrib={'a/b': 'value'}))
         self.check(ET.Element('tag', attrib={'a=b': 'value'}))
+        self.check(ET.Element('tag', attrib={'a\x00b': 'value'}))
+        self.check(ET.Element('tag', attrib={'a\ud8ffb': 'value'}))
         self.check(ET.Element('tag', attrib={ET.QName(''): 'value'}))
         self.check(ET.Element('tag', attrib={ET.QName('a/b'): 'value'}))
 
     def test_invalid_attr_value(self):
         self.check(ET.Element('tag', attrib={'key': '\x00'}))
+        self.check(ET.Element('tag', attrib={'key': '\ud8ff'}))
         self.check(ET.Element('tag', attrib={'key': ET.QName('\x00')}))
+        self.check(ET.Element('tag', attrib={'key': ET.QName('\ud8ff')}))
         self.check(ET.Element('tag', attrib={'key': ET.QName('a"b')}))
         self.check(ET.Element('tag', attrib={'key': ET.QName('a&b')}))
 
     def test_invalid_text(self):
         elem = ET.Element('tag')
         elem.text = '\x00'
         self.check(elem)
+        elem.text = '\ud8ff'
+        self.check(elem)
 
     def test_invalid_tail(self):
         elem = ET.Element('tag')
         elem.tail = '\x00'
         self.check(elem)
+        elem.tail = '\ud8ff'
+        self.check(elem)
 
     def test_invalid_text_without_tag(self):
         elem = ET.Element(None)
         elem.text = '\x00'
         self.check(elem)
+        elem.text = '\ud8ff'
+        self.check(elem)
 
     def test_invalid_subelements(self):
         elem = ET.Element('tag')
@@ -1558,7 +1578,9 @@ def test_invalid_subelements(self):
 
     def test_invalid_namespace_uri(self):
         self.check(ET.Element('{\x00}tag'))
+        self.check(ET.Element('{\ud8ff}tag'))
         self.check(ET.Element(ET.QName('\x00', 'tag')))
+        self.check(ET.Element(ET.QName('\ud8ff', 'tag')))
 
     @support.subTests('tag', ("script", "style", "xmp", "iframe", "noembed", "noframes"))
     def test_invalid_cdata_content(self, tag):
@@ -1571,6 +1593,8 @@ def test_invalid_cdata_content(self, tag):
         self.check(elem)
         elem.text = 'a\x00b'
         self.check(elem)
+        elem.text = 'a\ud8ffb'
+        self.check(elem)
 
     @support.subTests('tag', ("script", "style", "xmp", "iframe", "noembed", "noframes"))
     def test_cdata_subelements(self, tag):
@@ -1582,6 +1606,8 @@ def test_invalid_plaintext_content(self):
         elem = ET.Element('plaintext')
         elem.text = 'a\x00b'
         self.check(elem)
+        elem.text = 'a\ud8ffb'
+        self.check(elem)
 
 
 class IterparseTest(unittest.TestCase):
diff --git a/Lib/xml/etree/ElementTree.py b/Lib/xml/etree/ElementTree.py
@@ -878,7 +878,7 @@ def _serialize_xml(write, elem, qnames, namespaces, *,
     text = elem.text
     if tag is Comment:
         if validate:
-            if '--' in text or text.endswith('-'):
+            if '--' in text or text.endswith('-') or not is_valid_text(text):
                 raise ValueError('invalid comment')
         write("<!--%s-->" % text)
     elif tag is ProcessingInstruction:
@@ -955,33 +955,36 @@ def _serialize_xml(write, elem, qnames, namespaces, *,
               "img", "input", "isindex", "link", "meta", "param", "source",
               "track", "wbr", "plaintext"}
 
+def _is_valid_html_text(text):
+    return re.search('[\x00\ud800-\udfff]', text) is None
+
 def _serialize_html(write, elem, qnames, namespaces, *, validate=True, **kwargs):
     tag = elem.tag
     text = elem.text
     if tag is Comment:
         if validate:
             if (re.prefixmatch('-?>', text) or re.search('--!?>', text)
-                    or '\0' in text):
+                    or not _is_valid_html_text(text)):
                 raise ValueError('invalid comment')
         write("<!--%s-->" % text)
     elif tag is ProcessingInstruction:
         if validate:
-            if '>' in text or '\0' in text:
+            if '>' in text or not _is_valid_html_text(text):
                 raise ValueError(f'invalid processing instruction {text!r}')
         write("<?%s?>" % text)
     else:
         tag = qnames[tag]
         if tag is None:
             if text:
                 if validate:
-                    if '\0' in text:
+                    if not _is_valid_html_text(text):
                         raise ValueError('invalid characters')
                 write(_escape_cdata(text))
             for e in elem:
                 _serialize_html(write, e, qnames, None, validate=validate)
         else:
             if validate:
-                if not re.fullmatch('[A-Za-z][^\0\t\n\r\f />]*+', tag):
+                if not re.fullmatch('[A-Za-z][^\0\t\n\r\f />\ud800-\udfff]*+', tag):
                     raise ValueError(f'invalid element name {tag!r}')
             write("<" + tag)
             items = list(elem.items())
@@ -992,10 +995,10 @@ def _serialize_html(write, elem, qnames, namespaces, *, validate=True, **kwargs)
                         if k:
                             k = ":" + k
                         if validate:
-                            if not re.fullmatch('[^\0\t\n\r\f />=]++', k):
-                                raise ValueError(f'invalid attribute name {k!r}')
+                            if not re.fullmatch('[^\0\t\n\r\f />=\ud800-\udfff]++', k):
+                                raise ValueError(f'invalid namespace name {k[1:]!r}')
                         if validate:
-                            if '\0' in v:
+                            if not _is_valid_html_text(v):
                                 raise ValueError('invalid characters')
                         write(" xmlns%s=\"%s\"" % (
                             k,
@@ -1006,27 +1009,27 @@ def _serialize_html(write, elem, qnames, namespaces, *, validate=True, **kwargs)
                         k = k.text
                     k = qnames[k]
                     if validate:
-                        if not re.fullmatch('[^\0\t\n\r\f />][^\0\t\n\r\f />=]*+', k):
+                        if not re.fullmatch('[^\0\t\n\r\f />\ud800-\udfff][^\0\t\n\r\f />=\ud800-\udfff]*+', k):
                             raise ValueError(f'invalid attribute name {k!r}')
                     if v is None:
                         write(" %s" % k)  # empty attr
                     else:
                         if isinstance(v, QName):
                             v = qnames[v.text]
                             if validate:
-                                if '\0' in v or '"' in v or '&' in v:
+                                if re.search('[\0"&\ud800-\udfff]', v):
                                     raise ValueError(f'invalid attribute value {v!r}')
                         else:
                             if validate:
-                                if '\0' in v:
+                                if not _is_valid_html_text(v):
                                     raise ValueError(f'invalid attribute value {v!r}')
                             v = _escape_attrib_html(v)
                         write(" %s=\"%s\"" % (k, v))
             write(">")
             ltag = tag.lower()
             if text:
                 if validate:
-                    if '\0' in text:
+                    if not _is_valid_html_text(text):
                         raise ValueError('invalid characters')
                 if ltag in _CDATA_CONTENT_ELEMENTS:
                     if validate:
@@ -1046,7 +1049,7 @@ def _serialize_html(write, elem, qnames, namespaces, *, validate=True, **kwargs)
                 write("</" + tag + ">")
     if elem.tail:
         if validate:
-            if '\0' in elem.tail:
+            if not _is_valid_html_text(elem.tail):
                 raise ValueError('invalid characters')
         write(_escape_cdata(elem.tail))
 
