Opened 7 hours ago

Last modified 4 hours ago

#35897 new Cleanup/optimization

Template system: escape() calls in get_exception_info() should be removed

Reported by: Klaas van Schelven Owned by:
Component: Error reporting Version: dev
Severity: Normal Keywords:
Cc: Keryn Knight Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Here there are some calls to escape()

They shouldn't be there: escaping happens in templates for non-safe strings anyway, so there's no need.

And there _is_ a drawback: as an example, the Python Sentry SDK copies this info, but because it gets sent over the wire (as a JSON string) the information that this has already been escaped is lost, and on the receiving end it is escaped again.

This means that on the server-side the Error-tracking, in my case Bugsink will show doubly escaped html code snippets. This looks something like this:

<p class="relative text-slate-600 text-base md:text-xl mb-4 md:mb-5"> 

Removing the calls to escape simply solves this. Which makes sense: calling escape is simply not the responsibility of this piece of code, it should just stay marked as unsafe and be escape at the edges (on rendering).

Attachments (1)

2024-11-08_1877x538.png (121.7 KB ) - added by Klaas van Schelven 7 hours ago.

Download all attachments as: .zip

Change History (3)

by Klaas van Schelven, 7 hours ago

Attachment: 2024-11-08_1877x538.png added

comment:1 by Klaas van Schelven, 7 hours ago

Has patch: set

comment:2 by Sarah Boyce, 4 hours ago

Cc: Keryn Knight added
Component: UncategorizedError reporting
Type: UncategorizedCleanup/optimization

Given #33461 added force_escape to message, we might need to move that escaping into the template

Note: See TracTickets for help on using tickets.
Back to Top