Code

Opened 4 years ago

Closed 4 years ago

#14125 closed (duplicate)

'Safe strings' are not force-escaped on development 500 page

Reported by: elijahr Owned by: elijahr
Component: Uncategorized Version: master
Severity: Keywords: debug.py 500 escape
Cc: Triage Stage: Design decision needed
Has patch: yes Needs documentation: no
Needs tests: yes Patch needs improvement: no
Easy pickings: UI/UX:

Description

In the 'Local vars' section of the debugging 500 error page, strings that have been 'marked safe' are not escaped before output, which has often resulted in HTML from my variables being inserted into the page.

While using 'mark_safe' on a string variable indicates that the string should not be escaped further, I think an exception should be made for the debugging 500 page, based on my assumption that most developers would rather see a string's value than the resultant HTML elements.

I have attached a patch that uses 'force_escape' in lieu of 'escape'.

Attachments (1)

debug.py.diff (578 bytes) - added by elijahr 4 years ago.
Force escape 'Local vars' output on debug page

Download all attachments as: .zip

Change History (5)

Changed 4 years ago by elijahr

Force escape 'Local vars' output on debug page

comment:1 Changed 4 years ago by elijahr

  • Owner changed from nobody to elijahr
  • Status changed from new to assigned

comment:2 Changed 4 years ago by VickyTuite

  • Needs tests set
  • Triage Stage changed from Unreviewed to Accepted

comment:3 Changed 4 years ago by VickyTuite

  • Triage Stage changed from Accepted to Design decision needed

comment:4 Changed 4 years ago by SmileyChris

  • Resolution set to duplicate
  • Status changed from assigned to closed

Dupe of #7697

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.