You are viewing a plain text version of this content. The canonical link for it is here.
Posted to mod_python-dev@quetz.apache.org by "Graham Dumpleton (JIRA)" <ji...@apache.org> on 2006/03/26 12:35:24 UTC
[jira] Created: (MODPYTHON-151) PythonDebug exception error page
doesn't escape special HTML characters.
PythonDebug exception error page doesn't escape special HTML characters.
------------------------------------------------------------------------
Key: MODPYTHON-151
URL: http://issues.apache.org/jira/browse/MODPYTHON-151
Project: mod_python
Type: Bug
Components: core
Versions: 3.2.8, 3.1.4, 2.7.10
Reporter: Graham Dumpleton
Assigned to: Graham Dumpleton
When an exception occurs in a handler and PythonDebug is On, an error page is generated and returned to the client. The traceback and details of the exception will be output within a <pre></pre> section, however the content put in the section is included as is and no escaping is performed on special HTML characters. This means that if the details of the exception include any special HTML characters, it can stuff up the formatting of the page and/or information could on face value be lost.
For example the new importer will generate a specific exception where the response from a handler is not of the correct type.
AssertionError: Handler has returned result or raised SERVER_RETURN
exception with argument having non integer type. Type of value returned
was <type 'module'>, whereas expected <type 'int'>.
Because this includes <> characters, it actuall displays in the resultant HTML page as:
AssertionError: Handler has returned result or raised SERVER_RETURN
exception with argument having non integer type. Type of value returned
was , whereas expected .
The error reporter therefore should pass content through cgi.escape().
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Resolved: (MODPYTHON-151) PythonDebug exception error page
doesn't escape special HTML characters.
Posted by "Graham Dumpleton (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/MODPYTHON-151?page=all ]
Graham Dumpleton resolved MODPYTHON-151:
----------------------------------------
Fix Version: 3.3
Resolution: Fixed
> PythonDebug exception error page doesn't escape special HTML characters.
> ------------------------------------------------------------------------
>
> Key: MODPYTHON-151
> URL: http://issues.apache.org/jira/browse/MODPYTHON-151
> Project: mod_python
> Type: Bug
> Components: core
> Versions: 3.2.8, 3.1.4, 2.7.10
> Reporter: Graham Dumpleton
> Assignee: Graham Dumpleton
> Fix For: 3.3
>
> When an exception occurs in a handler and PythonDebug is On, an error page is generated and returned to the client. The traceback and details of the exception will be output within a <pre></pre> section, however the content put in the section is included as is and no escaping is performed on special HTML characters. This means that if the details of the exception include any special HTML characters, it can stuff up the formatting of the page and/or information could on face value be lost.
> For example the new importer will generate a specific exception where the response from a handler is not of the correct type.
> AssertionError: Handler has returned result or raised SERVER_RETURN
> exception with argument having non integer type. Type of value returned
> was <type 'module'>, whereas expected <type 'int'>.
> Because this includes <> characters, it actuall displays in the resultant HTML page as:
> AssertionError: Handler has returned result or raised SERVER_RETURN
> exception with argument having non integer type. Type of value returned
> was , whereas expected .
> The error reporter therefore should pass content through cgi.escape().
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Work started: (MODPYTHON-151) PythonDebug exception error
page doesn't escape special HTML characters.
Posted by "Graham Dumpleton (JIRA)" <ji...@apache.org>.
[ http://issues.apache.org/jira/browse/MODPYTHON-151?page=all ]
Work on MODPYTHON-151 started by Graham Dumpleton
> PythonDebug exception error page doesn't escape special HTML characters.
> ------------------------------------------------------------------------
>
> Key: MODPYTHON-151
> URL: http://issues.apache.org/jira/browse/MODPYTHON-151
> Project: mod_python
> Type: Bug
> Components: core
> Versions: 3.2.8, 3.1.4, 2.7.10
> Reporter: Graham Dumpleton
> Assignee: Graham Dumpleton
>
> When an exception occurs in a handler and PythonDebug is On, an error page is generated and returned to the client. The traceback and details of the exception will be output within a <pre></pre> section, however the content put in the section is included as is and no escaping is performed on special HTML characters. This means that if the details of the exception include any special HTML characters, it can stuff up the formatting of the page and/or information could on face value be lost.
> For example the new importer will generate a specific exception where the response from a handler is not of the correct type.
> AssertionError: Handler has returned result or raised SERVER_RETURN
> exception with argument having non integer type. Type of value returned
> was <type 'module'>, whereas expected <type 'int'>.
> Because this includes <> characters, it actuall displays in the resultant HTML page as:
> AssertionError: Handler has returned result or raised SERVER_RETURN
> exception with argument having non integer type. Type of value returned
> was , whereas expected .
> The error reporter therefore should pass content through cgi.escape().
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
[jira] Closed: (MODPYTHON-151) PythonDebug exception error page
doesn't escape special HTML characters.
Posted by "Graham Dumpleton (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/MODPYTHON-151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Graham Dumpleton closed MODPYTHON-151.
--------------------------------------
> PythonDebug exception error page doesn't escape special HTML characters.
> ------------------------------------------------------------------------
>
> Key: MODPYTHON-151
> URL: https://issues.apache.org/jira/browse/MODPYTHON-151
> Project: mod_python
> Issue Type: Bug
> Components: core
> Affects Versions: 2.7.10, 3.1.4, 3.2.8
> Reporter: Graham Dumpleton
> Assigned To: Graham Dumpleton
> Fix For: 3.3
>
>
> When an exception occurs in a handler and PythonDebug is On, an error page is generated and returned to the client. The traceback and details of the exception will be output within a <pre></pre> section, however the content put in the section is included as is and no escaping is performed on special HTML characters. This means that if the details of the exception include any special HTML characters, it can stuff up the formatting of the page and/or information could on face value be lost.
> For example the new importer will generate a specific exception where the response from a handler is not of the correct type.
> AssertionError: Handler has returned result or raised SERVER_RETURN
> exception with argument having non integer type. Type of value returned
> was <type 'module'>, whereas expected <type 'int'>.
> Because this includes <> characters, it actuall displays in the resultant HTML page as:
> AssertionError: Handler has returned result or raised SERVER_RETURN
> exception with argument having non integer type. Type of value returned
> was , whereas expected .
> The error reporter therefore should pass content through cgi.escape().
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.