Roundup Tracker - Issues

Issue 2550836

classification
Title: handleCollision error message no longer valid (escaped html)
Type: behavior Severity: normal
Components: Web interface Versions:
process
Status: closed Resolution: fixed
Dependencies: Superseder:
Assigned To: schlatterbeck Nosy List: ThomasAH, ber, ezio.melotti, r.david.murray, schlatterbeck
Priority: Keywords: patch

Created on 2014-03-18 14:26 by r.david.murray, last changed 2014-04-18 08:53 by schlatterbeck.

Files
File name Uploaded Description Edit Remove
handleCollision.patch r.david.murray, 2014-03-18 14:26
Messages
msg5038 Author: [hidden] (r.david.murray) Date: 2014-03-18 14:26
Due to the cross-site scripting fixes, the handleCollision error message
in cgi/actions.py now renders as escaped html.  The attached patch
removes the html portion of the message, but perhaps there is another
solution?
msg5039 Author: [hidden] (ber) Date: 2014-03-19 07:45
Hi David, 
thanks for the report!

Your handleCollision.patch	would remove the possibility to open
another window for seeing the changes that have been done meanwhile.
As Ralf did the escaping change, he probably has a solution for this
stituation as well? :)

Ralf?
msg5040 Author: [hidden] (schlatterbeck) Date: 2014-03-19 07:53
On Wed, Mar 19, 2014 at 07:45:35AM +0000, Bernhard Reiter wrote:
> 
> Your handleCollision.patch	would remove the possibility to open
> another window for seeing the changes that have been done meanwhile.
> As Ralf did the escaping change, he probably has a solution for this
> stituation as well? :)

Thanks for assigning this to me, will look into this tomorrow, I'm on
the road today...

Ralf
msg5050 Author: [hidden] (schlatterbeck) Date: 2014-03-31 16:22
Fixed in rca692423e401:
I've completely changed the way I guard against XSS security problems
raised in issue2550817 -- now I'm escaping when adding a new error or ok
message -- at a point where we still know where the message comes from.

This also makes it easier for users as no changes of installed templates
are necessary to be secure.

Can you check this if it works for you?

Thanks
Ralf
msg5082 Author: [hidden] (ezio.melotti) Date: 2014-04-17 22:04
I verified that the fix works for us (bugs.python.org), see
http://psf.upfronthosting.co.za/roundup/meta/issue538.
msg5083 Author: [hidden] (schlatterbeck) Date: 2014-04-18 08:53
Thanks for the feedback!
History
Date User Action Args
2014-04-18 08:53:17schlatterbecksetstatus: fixed -> closed
messages: + msg5083
2014-04-17 22:04:57ezio.melottisetnosy: + ezio.melotti
messages: + msg5082
2014-03-31 16:22:25schlatterbecksetstatus: new -> fixed
resolution: fixed
messages: + msg5050
2014-03-19 14:07:00ThomasAHsetnosy: + ThomasAH
2014-03-19 07:53:31schlatterbecksetmessages: + msg5040
2014-03-19 07:45:35bersetassignee: schlatterbeck
messages: + msg5039
nosy: + ber, schlatterbeck
2014-03-18 14:26:48r.david.murraycreate