[ http://issues.apache.org/jira/browse/MODPYTHON-151?page=all ]
Graham Dumpleton resolved MODPYTHON-151:
----------------------------------------
Fix Version: 3.3
Resolution: Fixed
> PythonDebug exception error page doesn't escape special HTML characters.
> ------------------------------------------------------------------------
>
> Key: MODPYTHON-151
> URL: http://issues.apache.org/jira/browse/MODPYTHON-151
> Project: mod_python
> Type: Bug
> Components: core
> Versions: 3.2.8, 3.1.4, 2.7.10
> Reporter: Graham Dumpleton
> Assignee: Graham Dumpleton
> Fix For: 3.3
>
> When an exception occurs in a handler and PythonDebug is On, an error page is
> generated and returned to the client. The traceback and details of the
> exception will be output within a <pre></pre> section, however the content
> put in the section is included as is and no escaping is performed on special
> HTML characters. This means that if the details of the exception include any
> special HTML characters, it can stuff up the formatting of the page and/or
> information could on face value be lost.
> For example the new importer will generate a specific exception where the
> response from a handler is not of the correct type.
> AssertionError: Handler has returned result or raised SERVER_RETURN
> exception with argument having non integer type. Type of value returned
> was <type 'module'>, whereas expected <type 'int'>.
> Because this includes <> characters, it actuall displays in the resultant
> HTML page as:
> AssertionError: Handler has returned result or raised SERVER_RETURN
> exception with argument having non integer type. Type of value returned
> was , whereas expected .
> The error reporter therefore should pass content through cgi.escape().
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira
