PythonDebug exception error page doesn't escape special HTML characters. ------------------------------------------------------------------------
Key: MODPYTHON-151 URL: http://issues.apache.org/jira/browse/MODPYTHON-151 Project: mod_python Type: Bug Components: core Versions: 3.2.8, 3.1.4, 2.7.10 Reporter: Graham Dumpleton Assigned to: Graham Dumpleton When an exception occurs in a handler and PythonDebug is On, an error page is generated and returned to the client. The traceback and details of the exception will be output within a <pre></pre> section, however the content put in the section is included as is and no escaping is performed on special HTML characters. This means that if the details of the exception include any special HTML characters, it can stuff up the formatting of the page and/or information could on face value be lost. For example the new importer will generate a specific exception where the response from a handler is not of the correct type. AssertionError: Handler has returned result or raised SERVER_RETURN exception with argument having non integer type. Type of value returned was <type 'module'>, whereas expected <type 'int'>. Because this includes <> characters, it actuall displays in the resultant HTML page as: AssertionError: Handler has returned result or raised SERVER_RETURN exception with argument having non integer type. Type of value returned was , whereas expected . The error reporter therefore should pass content through cgi.escape(). -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: http://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira