Opened 18 years ago

Closed 18 years ago

Last modified 14 years ago

#1204 closed defect (fixed)

markup filters shouldn't fail silently

Reported by: nirvdrum Owned by: Adrian Holovaty
Component: Tools Version:
Severity: normal Keywords:
Cc: Triage Stage: Unreviewed
Has patch: no Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

In the source code for the markup app, the comments say that if the appropriate libraries are not installed, the filter will fail silently and return the un-marked-up text. This seems to me to be a bad design decision. If the proper libraries are not installed, the developer should be notified right away. Not marking up the text is not what the developer intended and does not seem to be a case of degrading gracefully.

Additionally, I was unable to find this limitation noted anywhere on the Web site. It wasn't until I dug into the source and read that comment that I discovered why my app wasn't working properly.

Change History (6)

comment:1 by James Bennett, 18 years ago

FWIW, the documentation on writing template filters indicates this:

"Filter functions should always return something. They shouldn't raise exceptions. They should fail silently. In case of error, they should return either the original input or an empty string -- whichever makes more sense."

comment:2 by James Bennett, 18 years ago

And hopefully some more clarification on the reasoning for this will be found here.

comment:3 by Simon Willison, 18 years ago

There is a potential security problem here. If the filter that fails is one that removes dangerous HTML and that dangerous HTML is spat straight back out again you might end up with an XSS hole. We should at least have filters fail noisily if DEBUG is on. Maybe we should always eat the text rather than spit it out again in production. Errors of this kind in production should be logged as well.

comment:4 by Adrian Holovaty, 18 years ago

Resolution: fixed
Status: newclosed

(In [2730]) magic-removal: Fixed #1204 -- Markup filters now raise a TemplateSyntaxError if the Python libraries aren't installed and DEBUG=True

comment:5 by Gary Wilson, 14 years ago

(In [12858]) Removed out-of-date statement in markdown templatetags docstring (refs #1204).

comment:6 by Gary Wilson, 14 years ago

(In [12859]) [1.1.X] Removed out-of-date statement in markdown templatetags docstring (refs #1204).

Backport of r12858 from trunk.

Note: See TracTickets for help on using tickets.
Back to Top