[ https://issues.apache.org/jira/browse/MODPYTHON-151?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Graham Dumpleton closed MODPYTHON-151. -------------------------------------- > PythonDebug exception error page doesn't escape special HTML characters. > ------------------------------------------------------------------------ > > Key: MODPYTHON-151 > URL: https://issues.apache.org/jira/browse/MODPYTHON-151 > Project: mod_python > Issue Type: Bug > Components: core > Affects Versions: 2.7.10, 3.1.4, 3.2.8 > Reporter: Graham Dumpleton > Assigned To: Graham Dumpleton > Fix For: 3.3 > > > When an exception occurs in a handler and PythonDebug is On, an error page is > generated and returned to the client. The traceback and details of the > exception will be output within a <pre></pre> section, however the content > put in the section is included as is and no escaping is performed on special > HTML characters. This means that if the details of the exception include any > special HTML characters, it can stuff up the formatting of the page and/or > information could on face value be lost. > For example the new importer will generate a specific exception where the > response from a handler is not of the correct type. > AssertionError: Handler has returned result or raised SERVER_RETURN > exception with argument having non integer type. Type of value returned > was <type 'module'>, whereas expected <type 'int'>. > Because this includes <> characters, it actuall displays in the resultant > HTML page as: > AssertionError: Handler has returned result or raised SERVER_RETURN > exception with argument having non integer type. Type of value returned > was , whereas expected . > The error reporter therefore should pass content through cgi.escape(). -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.