Message5114
Hi Ezio:
In message <1404748667.97.0.474031338361.issue2550847@psf.upfronthosting.co.za>
<1404748667.97.0.474031338361.issue2550847@psf.upfronthosting.co.za>,
Ezio Melotti writes:
>AFAIU, this ValueError is caught in cgi/actions.py, and the
>add_error_message() escapes the HTML included in the message:
> http://hg.python.org/tracker/roundup/file/c783a6df3ffe/roundup/cgi/actions.py#l628
>
>This could be fixed easily by adding escape=False (see attached patch).
>I verified that this doesn't affect the exploit presented in
>issue2550817 (unknown properties are handled elsewhere), however it
>seems that the error message could arrive from several different places,
>so I'm not entirely sure it's safe to add escape=False.
I have the same concern you do. I wonder if there is a cleaner way to
handle this.
I wonder if we can add some data to the ValueError to tell it that the
string is already cleaned and not to re-escape it.
So you would either create or santize the string and then
raise ValueError({ 'value': my_clean_string, 'escape_string': false })
and in actions.py, it check s to see if it's a dict and if
escape_string exists and is not false, it escapes the string otherwise
it just adds it as is.
Would this be a reasonable thing to support?
(Alternatively we can create/raise a new ValueErrorNoescape exception
but that seems like a real hack). |
|
| Date |
User |
Action |
Args |
| 2014-07-07 19:20:02 | rouilj | set | recipients:
+ rouilj, schlatterbeck, ber, ezio.melotti, r.david.murray |
| 2014-07-07 19:20:02 | rouilj | link | issue2550847 messages |
| 2014-07-07 19:20:01 | rouilj | create | |
|