gh-148954: sanitize methodname in xmlrpc.client.dumps() to prevent XML injection

[sanyamk23]

Summary

This PR fixes an XML injection vulnerability in xmlrpc.client.dumps() where the methodname was interpolated directly into the <methodName> tag without escaping.

Details

The methodname is now passed through the module's escape() helper function before being added to the XML request body. This prevents attackers from injecting arbitrary XML markup if they can control the method name.

Verification

• Confirmed that a payload like 'foo</methodName><injected attr="evil"/><methodName>bar' is correctly escaped as 'foo</methodName><injected attr="evil"/><methodName>bar'.
• Verified that standard method names (alpha-numeric) continue to work without modification.
• Verified that special characters in method names are correctly recovered when unmarshalled.

Fixes gh-148954

[python-cla-bot]

All commit authors signed the Contributor License Agreement.

[picnixz]

• Please sign the CLA.
• Please don't use LLM to generate your PRs or summary. See https://devguide.python.org/getting-started/generative-ai/.
• Add tests if possible.
• Don't force push and don't update your PR with the "Update branch" button. In particular, read the devguide.

[bedevere-app]

A Python core developer has requested some changes be made to your pull request before we can consider merging it. If you could please address their requests along with any other requests in other reviews from core developers that would be appreciated.

Once you have made the requested changes, please leave a comment on this pull request containing the phrase I have made the requested changes; please review again. I will then notify any core developers who have left a review that you're ready for them to take another look at this pull request.

[picnixz]

cc @sethmlarson @StanFromIreland (I think this was a GHSA right? I didn't follow the discussion so there might be more that you wanted to add).

[picnixz]

@StanFromIreland Was it expected to be fixed as a regular bugfix or security issue? in the former case, please move the NEWS entry to "Library" (the esasiest way to do it is simply to remove that file and re-create one from scratch).

[StanFromIreland]

This was expected to be treated as a regular bugfix, please do move it to "library," otherwise it is misleading and contradicts the security warning.

[StanFromIreland]

FTR: this was GHSA-w5gj-44cx-wmcj.