Issue 2550836: handleCollision error message no longer valid (escaped html) - Roundup tracker

classification

Title:	handleCollision error message no longer valid (escaped html)
Type:	behavior	Severity:	normal
Components:	Web interface	Versions:

process

Status:	closed	Resolution:	fixed
Dependencies		Superseder:
Assigned To:	schlatterbeck	Nosy List:	ThomasAH, ber, ezio.melotti, r.david.murray, schlatterbeck
Priority:		Keywords:	patch

Created on 2014-03-18 14:26 by r.david.murray, last changed 2014-04-18 08:53 by schlatterbeck.

Files
File name	Uploaded	Description	Edit	Remove
handleCollision.patch	r.david.murray, 2014-03-18 14:26

Messages
msg5038	Author: [hidden] (r.david.murray)	Date: 2014-03-18 14:26
Due to the cross-site scripting fixes, the handleCollision error message in cgi/actions.py now renders as escaped html. The attached patch removes the html portion of the message, but perhaps there is another solution?
msg5039	Author: [hidden] (ber)	Date: 2014-03-19 07:45
Hi David, thanks for the report! Your handleCollision.patch would remove the possibility to open another window for seeing the changes that have been done meanwhile. As Ralf did the escaping change, he probably has a solution for this stituation as well? :) Ralf?
msg5040	Author: [hidden] (schlatterbeck)	Date: 2014-03-19 07:53
On Wed, Mar 19, 2014 at 07:45:35AM +0000, Bernhard Reiter wrote: > > Your handleCollision.patch would remove the possibility to open > another window for seeing the changes that have been done meanwhile. > As Ralf did the escaping change, he probably has a solution for this > stituation as well? :) Thanks for assigning this to me, will look into this tomorrow, I'm on the road today... Ralf
msg5050	Author: [hidden] (schlatterbeck)	Date: 2014-03-31 16:22
Fixed in rca692423e401: I've completely changed the way I guard against XSS security problems raised in issue2550817 -- now I'm escaping when adding a new error or ok message -- at a point where we still know where the message comes from. This also makes it easier for users as no changes of installed templates are necessary to be secure. Can you check this if it works for you? Thanks Ralf
msg5082	Author: [hidden] (ezio.melotti)	Date: 2014-04-17 22:04
I verified that the fix works for us (bugs.python.org), see http://psf.upfronthosting.co.za/roundup/meta/issue538.
msg5083	Author: [hidden] (schlatterbeck)	Date: 2014-04-18 08:53
Thanks for the feedback!

History
Date	User	Action	Args
2014-04-18 08:53:17	schlatterbeck	set	status: fixed -> closed messages: + msg5083
2014-04-17 22:04:57	ezio.melotti	set	nosy: + ezio.melotti messages: + msg5082
2014-03-31 16:22:25	schlatterbeck	set	status: new -> fixed resolution: fixed messages: + msg5050
2014-03-19 14:07:00	ThomasAH	set	nosy: + ThomasAH
2014-03-19 07:53:31	schlatterbeck	set	messages: + msg5040
2014-03-19 07:45:35	ber	set	assignee: schlatterbeck messages: + msg5039 nosy: + ber, schlatterbeck
2014-03-18 14:26:48	r.david.murray	create