PythonDebug exception error page doesn't escape special HTML characters.
------------------------------------------------------------------------
Key: MODPYTHON-151
URL: http://issues.apache.org/jira/browse/MODPYTHON-151
Project: mod_python
Type: Bug
Components: core
Versions: 3.2.8, 3.1.4, 2.7.10
Reporter: Graham Dumpleton
Assigned to: Graham Dumpleton
When an exception occurs in a handler and PythonDebug is On, an error page is
generated and returned to the client. The traceback and details of the
exception will be output within a <pre></pre> section, however the content put
in the section is included as is and no escaping is performed on special HTML
characters. This means that if the details of the exception include any special
HTML characters, it can stuff up the formatting of the page and/or information
could on face value be lost.
For example the new importer will generate a specific exception where the
response from a handler is not of the correct type.
AssertionError: Handler has returned result or raised SERVER_RETURN
exception with argument having non integer type. Type of value returned
was <type 'module'>, whereas expected <type 'int'>.
Because this includes <> characters, it actuall displays in the resultant HTML
page as:
AssertionError: Handler has returned result or raised SERVER_RETURN
exception with argument having non integer type. Type of value returned
was , whereas expected .
The error reporter therefore should pass content through cgi.escape().
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
