SCM

[#313272] "Internal error" page does not evaluate URL link correctly

View Trackers | bugs | Export CSV

[#313272] "Internal error" page does not evaluate URL link correctly

Submitted by:
Christoph Haas (haas)
Date Submitted:
2011-08-04 19:57
Date Closed:
2012-03-25 16:34
status:
Assigned to:
Nobody (None)
Priority:
3
Summary*:
"Internal error" page does not evaluate URL link correctly

Detailed description
The A HREF link on the page shown in case of "500 Internal error" is escaping the A HREF so that the HTML is displayed to the user.

Add A Comment: Notepad

Followups: Sort comments antichronologically

Message
Date: 2011-08-16 07:45
Sender: Niels Thykier

Hi

This also happens for 404 errors, the [1]-link should work very well for triggering a 404.

~Niels

[1] http://mentors.debian.net/debian/pool/main/a/some-404

Date: 2011-08-18 05:42
Sender: Kyle Willmon

I have found the reason for this in the code.

This is due to default_filters=['escape'] on line 91 of debexpo/config/environment.py

On my local machine, I removed this parameter and the links are no longer escaped. This could potentially open up debexpo to HTML injection or XSS attacks if we fail to clean the input to our templates, though I'm currently not sure how much of a threat this is.

The other option is to add "| n" to each place where this problem is occurring. This is a bit more cautious, but also a bit more dirty. I would lean towards the former solution.

Given the option that people think is best, I can/will gladly submit a patch to fix this.
Date: 2012-03-25 16:34
Sender: Nicolas Dandrimont

I'm going through outstanding bug reports for debexpo. Apparently this has been fixed a while ago. I'm thus closing this.

Thanks for your report,
Nicolas

Existing Files:

Attach Files




Attached Files:

Change Log:

Field Old Value Date By
status_idOpen2012-03-25 16:34dandrimont-guest
close_dateNone2012-03-25 16:34dandrimont-guest
statusOpen2012-03-25 16:34dandrimont-guest
Powered By FusionForge