Roundup Tracker - Issues


Author ezio.melotti
Recipients ber, ezio.melotti, r.david.murray, schlatterbeck
Date 2014-07-07.15:57:46
Message-id <>
This issue is similar to issue2550836.
We have a detector that prevents closing an issue if it has open
This is done by raising a ValueError with a message that contains an
HTML link.

AFAIU, this ValueError is caught in cgi/, and the
add_error_message() escapes the HTML included in the message:

This could be fixed easily by adding escape=False (see attached patch).
I verified that this doesn't affect the exploit presented in
issue2550817 (unknown properties are handled elsewhere), however it
seems that the error message could arrive from several different places,
so I'm not entirely sure it's safe to add escape=False.
Can someone more familiar with this code comment?
Date User Action Args
2014-07-07 15:57:48ezio.melottisetrecipients: + ezio.melotti, schlatterbeck, ber, r.david.murray
2014-07-07 15:57:47ezio.melottisetmessageid: <>
2014-07-07 15:57:47ezio.melottilinkissue2550847 messages
2014-07-07 15:57:47ezio.melotticreate