Roundup Tracker - Issues


Author ber
Recipients ThomasAH, ber, ezio.melotti, r.david.murray, rouilj, schlatterbeck
Date 2014-08-05.13:07:34
Message-id <>
Some discussion from the mailinglist:

----------Cut Message----------
From: anatoly techtonik <>
Sent: Friday 18 July 2014, 11:45:12
Cc: "roundup-devel" <>
Subject: Re: [Roundup-devel] Release planning May 2014

On Fri, Jul 18, 2014 at 12:00 PM, Ralf Schlatterbeck <> 
> - Look more closely into issue2550847: We had XSS fixes but now use
>   cases pop up where html is being escaped when it shouldn't
>   I already have an implementation committed for escaping error 
>   that are generated internally maybe we can extend this.
>   If someone has input, please comment in the issue. I've not looked at
>   the patch yet. I'm also not sure if we should make unescaped output 
>   feature as this may reintroduce XSS issues.

All this escaping stuff is confusing. I am against allowing non-escaped 
in user messages, so if people need them - they should be able to 
solution in template themselves.

But people do need to render links and bold test. The only solution I know 
make it safe is to provide a markup processor for error messages that 
process markup first, and escape everything else.

I have a piece of code that can be brought to make this:

----------Original Message----------
From: Ralf Schlatterbeck <>
Sent: Friday 18 July 2014, 12:03:31
To: anatoly techtonik <>
Cc: "roundup-devel" <>
Subject: Re: [Roundup-devel] Release planning May 2014
Yes, good idea. I think we have optional ReStructuredText rendering,
maybe we can reuse that for error messages.
Date User Action Args
2014-08-05 13:07:36bersetmessageid: <>
2014-08-05 13:07:36bersetrecipients: + ber, schlatterbeck, rouilj, ThomasAH, ezio.melotti, r.david.murray
2014-08-05 13:07:36berlinkissue2550847 messages
2014-08-05 13:07:34bercreate