[
https://issues.apache.org/jira/browse/MODPYTHON-151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Graham Dumpleton closed MODPYTHON-151.
--------------------------------------
> PythonDebug exception error page doesn't escape special HTML characters.
> ------------------------------------------------------------------------
>
> Key: MODPYTHON-151
> URL: https://issues.apache.org/jira/browse/MODPYTHON-151
> Project: mod_python
> Issue Type: Bug
> Components: core
> Affects Versions: 2.7.10, 3.1.4, 3.2.8
> Reporter: Graham Dumpleton
> Assigned To: Graham Dumpleton
> Fix For: 3.3
>
>
> When an exception occurs in a handler and PythonDebug is On, an error page is
> generated and returned to the client. The traceback and details of the
> exception will be output within a <pre></pre> section, however the content
> put in the section is included as is and no escaping is performed on special
> HTML characters. This means that if the details of the exception include any
> special HTML characters, it can stuff up the formatting of the page and/or
> information could on face value be lost.
> For example the new importer will generate a specific exception where the
> response from a handler is not of the correct type.
> AssertionError: Handler has returned result or raised SERVER_RETURN
> exception with argument having non integer type. Type of value returned
> was <type 'module'>, whereas expected <type 'int'>.
> Because this includes <> characters, it actuall displays in the resultant
> HTML page as:
> AssertionError: Handler has returned result or raised SERVER_RETURN
> exception with argument having non integer type. Type of value returned
> was , whereas expected .
> The error reporter therefore should pass content through cgi.escape().
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
