gh-148954: Escape methodname in xmlrpc.client.dumps() to prevent XML injection

[sanyamk23]

Summary

This PR fixes an XML injection vulnerability in xmlrpc.client.dumps() where the methodname was interpolated directly into the <methodName> tag without escaping.

Details

The methodname is now passed through the module's escape() helper function before being added to the XML request body. This prevents attackers from injecting arbitrary XML markup if they can control the method name.

Verification

• Confirmed that a payload like 'foo</methodName><injected attr="evil"/><methodName>bar' is correctly escaped as 'foo</methodName><injected attr="evil"/><methodName>bar'.
• Verified that standard method names (alpha-numeric) continue to work without modification.
• Verified that special characters in method names are correctly recovered when unmarshalled.

Fixes gh-148954

[python-cla-bot]

All commit authors signed the Contributor License Agreement.

[picnixz]

• Please sign the CLA.
• Please don't use LLM to generate your PRs or summary. See https://devguide.python.org/getting-started/generative-ai/.
• Add tests if possible.
• Don't force push and don't update your PR with the "Update branch" button. In particular, read the devguide.

[bedevere-app]

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

[picnixz]

cc @sethmlarson @StanFromIreland (I think this was a GHSA right? I didn't follow the discussion so there might be more that you wanted to add).

[StanFromIreland]

FTR: this was GHSA-w5gj-44cx-wmcj.

[serhiy-storchaka]

LGTM. 👍

[serhiy-storchaka]

@sanyamk23, please sing the CLA.

[serhiy-storchaka]

@sanyamk23, we cannot merge this PR until you sign the CLA.

[miss-islington-app]

Thanks @sanyamk23 for the PR, and @serhiy-storchaka for merging it 🌮🎉.. I'm working now to backport this PR to: 3.13, 3.14, 3.15.
🐍🍒⛏🤖 I'm not a witch! I'm not a witch!

[bedevere-app]

GH-151033 is a backport of this pull request to the 3.15 branch.

[bedevere-app]

GH-151034 is a backport of this pull request to the 3.14 branch.

[bedevere-app]

GH-151035 is a backport of this pull request to the 3.13 branch.