| Graham Dumpleton (JIRA) 2006-03-27, 7:50 am |
| [ http://issues.apache.org/jira/brows...ON-151?page=all ]
Graham Dumpleton resolved MODPYTHON-151:
----------------------------------------
Fix Version: 3.3
Resolution: Fixed
> PythonDebug exception error page doesn't escape special HTML characters.
> ------------------------------------------------------------------------
>
> Key: MODPYTHON-151
> URL: http://issues.apache.org/jira/browse/MODPYTHON-151
> Project: mod_python
> Type: Bug
> Components: core
> Versions: 3.2.8, 3.1.4, 2.7.10
> Reporter: Graham Dumpleton
> Assignee: Graham Dumpleton
> Fix For: 3.3
>
> When an exception occurs in a handler and PythonDebug is On, an error page is generated and returned to the client. The traceback and details of the exception will be output within a <pre></pre> section, however the content put in the section is include
d as is and no escaping is performed on special HTML characters. This means that if the details of the exception include any special HTML characters, it can stuff up the formatting of the page and/or information could on face value be lost.
> For example the new importer will generate a specific exception where the response from a handler is not of the correct type.
> AssertionError: Handler has returned result or raised SERVER_RETURN
> exception with argument having non integer type. Type of value returned
> was <type 'module'>, whereas expected <type 'int'>.
> Because this includes <> characters, it actuall displays in the resultant HTML page as:
> AssertionError: Handler has returned result or raised SERVER_RETURN
> exception with argument having non integer type. Type of value returned
> was , whereas expected .
> The error reporter therefore should pass content through cgi.escape().
|