Description
I am using:
O.S: Fedora 40
Browser: Firefox 131.0.2
Platform: desktop
Problem
The preview of the new Python 3 port has broken HTML escaping in the XML feeds
eg try to view this in the browser:
https://planetpython.org/3/rss10.xml
and it will complain about undefined entities, due to having raw unescaped HTML in the XML document
By comparison the original Python 2 code escaped HTML in the feed
$ wget https://planetpython.org/rss10.xml
$ grep "content:encoded" rss10.xml | head -1
<content:encoded><p>As is probably apparent from the sequence of blog posts about the topic in the
$ wget https://planetpython.org/3/rss10.xml
$ grep "content:encoded" rss10.xml.1 | head -1
<content:encoded><p>As is probably apparent from the sequence of blog posts about the topic in the
Details
This problem is caused by a mistake in the python 3 conversion done in #577, specially in commit 86e31f9 replaced code patterns like:
feed[key] = sanitize.HTML(feed[key])
with
feed[key] = Markup(feed[key])
which is not providing functionally equivalent behaviour.
The sanitize.HTML method would parse the HTML and strip out various undesirable elements and attributes, and escaping was later performed by the template processor.
The Markup method will not parse anything, it'll just wrap the str in a Markup class, as a way to designate it as being safe to use as-is without further escaping. As a result when you later try to escape the variable in jinga using ... | e, it will do nothing at all, resulting in raw HTML being put into the XML document, leading to the later parsing errors.
I think either the original sanitizer code needs to be re-instated and made to work with py3, or perhaps an external library such as https://github.com/matthiask/html-sanitizer/ could be leveraged ?