gh-148954: add tests for methodname sanitization in dumps()

Author: sanyamk23

Lib/test/test_xmlrpc.py

@@ -208,6 +208,15 @@ def test_dump_encoding(self):
         self.assertEqual(xmlrpclib.loads(strg)[0][0], value)
         self.assertEqual(xmlrpclib.loads(strg)[1], methodname)
 
+    def test_methodname_sanitization(self):
+        # gh-148954: test that methodname is sanitized in dumps()
+        payload = 'foo</methodName><injected attr="evil"/><methodName>bar'
+        s = xmlrpclib.dumps((), methodname=payload)
+        self.assertIn('<methodName>foo&lt;/methodName&gt;&lt;injected attr="evil"/&gt;&lt;methodName&gt;bar</methodName>', s)
+        self.assertNotIn('<injected attr="evil"/>', s)
+        load, m = xmlrpclib.loads(s)
+        self.assertEqual(m, payload)
+
     def test_dump_bytes(self):
         sample = b"my dog has fleas"
         self.assertEqual(sample, xmlrpclib.Binary(sample))