Roundup Tracker - Issues

Message5129

Author ber
Recipients ThomasAH, ber, ezio.melotti, r.david.murray, rouilj, schlatterbeck
Date 2014-08-05.13:07:34
Message-id <1407244056.08.0.685464625291.issue2550847@psf.upfronthosting.co.za>
In-reply-to
Some discussion from the mailinglist:

----------Cut Message----------
From: anatoly techtonik <techtonik@gmail.com>
Sent: Friday 18 July 2014, 11:45:12
Cc: "roundup-devel" <roundup-devel@lists.sourceforge.net>
Subject: Re: [Roundup-devel] Release planning May 2014

On Fri, Jul 18, 2014 at 12:00 PM, Ralf Schlatterbeck <rsc@runtux.com> 
wrote:
> - Look more closely into issue2550847: We had XSS fixes but now use
>   cases pop up where html is being escaped when it shouldn't
>   I already have an implementation committed for escaping error 
messages
>   that are generated internally maybe we can extend this.
>   If someone has input, please comment in the issue. I've not looked at
>   the patch yet. I'm also not sure if we should make unescaped output 
a
>   feature as this may reintroduce XSS issues.

All this escaping stuff is confusing. I am against allowing non-escaped 
output
in user messages, so if people need them - they should be able to 
implement
solution in template themselves.

But people do need to render links and bold test. The only solution I know 
to
make it safe is to provide a markup processor for error messages that 
will
process markup first, and escape everything else.

I have a piece of code that can be brought to make this:
https://pypi.python.org/pypi/wikify/

----------Original Message----------
From: Ralf Schlatterbeck <rsc@runtux.com>
Sent: Friday 18 July 2014, 12:03:31
To: anatoly techtonik <techtonik@gmail.com>
Cc: "roundup-devel" <roundup-devel@lists.sourceforge.net>
Subject: Re: [Roundup-devel] Release planning May 2014
[..]
Yes, good idea. I think we have optional ReStructuredText rendering,
maybe we can reuse that for error messages.
History
Date User Action Args
2014-08-05 13:07:36bersetmessageid: <1407244056.08.0.685464625291.issue2550847@psf.upfronthosting.co.za>
2014-08-05 13:07:36bersetrecipients: + ber, schlatterbeck, rouilj, ThomasAH, ezio.melotti, r.david.murray
2014-08-05 13:07:36berlinkissue2550847 messages
2014-08-05 13:07:34bercreate