Roundup Tracker - Issues

Message5116

Author ezio.melotti
Recipients ThomasAH, ber, ezio.melotti, r.david.murray, rouilj, schlatterbeck
Date 2014-07-08.22:30:27
Message-id <1404858627.95.0.369925261042.issue2550847@psf.upfronthosting.co.za>
In-reply-to
Note that before the XSS fix the HTML wasn't being escaped, no one
complained it and some probably used this feature (like we did).  The
XSS fix introduced a regression, but at the same time it might have made
things safer (in case it was possible to use this path to inject
malicious code like <script>).  In other words, I think that
interpreting HTML is the desired behavior, unless the HTML might come
from untrusted sources.

Attached a new patch (untested) that adds an escape_html arg to the
"Reject" exception:
http://hg.python.org/tracker/roundup/file/c783a6df3ffe/roundup/exceptions.py#l12
This exception is already caught in same code path, and the docstring
said this is what auditors should use to stop an operation (in our case
avoid closing an issue when there are dependencies open).  This will
allow people to use `raise Reject(msg_with_html, escape_html=False)`.
I also modified all the places where Reject is caught and its message
used with add_error_message.
Is this a reasonable solution?
History
Date User Action Args
2014-07-08 22:30:27ezio.melottisetmessageid: <1404858627.95.0.369925261042.issue2550847@psf.upfronthosting.co.za>
2014-07-08 22:30:27ezio.melottisetrecipients: + ezio.melotti, schlatterbeck, ber, rouilj, ThomasAH, r.david.murray
2014-07-08 22:30:27ezio.melottilinkissue2550847 messages
2014-07-08 22:30:27ezio.melotticreate