Roundup Tracker - Issues


Author rouilj
Recipients ber, ezio.melotti, r.david.murray, rouilj, schlatterbeck
Date 2014-07-07.19:20:01
Message-id <>
In-reply-to Your message of "Mon, 07 Jul 2014 15:57:48 -0000." <> <>
Hi Ezio:

In message <>
Ezio Melotti writes:
>AFAIU, this ValueError is caught in cgi/, and the
>add_error_message() escapes the HTML included in the message:
>This could be fixed easily by adding escape=False (see attached patch).
>I verified that this doesn't affect the exploit presented in
>issue2550817 (unknown properties are handled elsewhere), however it
>seems that the error message could arrive from several different places,
>so I'm not entirely sure it's safe to add escape=False.

I have the same concern you do. I wonder if there is a cleaner way to
handle this.

I wonder if we can add some data to the ValueError to tell it that the
string is already cleaned and not to re-escape it.

So you would either create or santize the string and then

  raise ValueError({ 'value': my_clean_string, 'escape_string': false })

and in, it check s to see if it's a dict and if
escape_string exists and is not false, it escapes the string otherwise
it just adds it as is.

Would this be a reasonable thing to support?

(Alternatively we can create/raise a new ValueErrorNoescape exception
but that seems like a real hack).
Date User Action Args
2014-07-07 19:20:02rouiljsetrecipients: + rouilj, schlatterbeck, ber, ezio.melotti, r.david.murray
2014-07-07 19:20:02rouiljlinkissue2550847 messages
2014-07-07 19:20:01rouiljcreate