[allura] 08/09: [#8500] error page message should always be escaped, not assumed to be "safe"

Mon, 27 Feb 2023 13:26:29 -0800 

This is an automated email from the ASF dual-hosted git repository.

kentontaylor pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/allura.git

commit 0faeaec5337d07b4090ee27b010453748f0a0c53
Author: Dave Brondsema <[email protected]>
AuthorDate: Tue Feb 21 13:54:11 2023 -0500

    [#8500] error page message should always be escaped, not assumed to be 
"safe"
---
 Allura/allura/controllers/error.py          | 4 +---
 Allura/allura/templates/error.html          | 2 +-
 Allura/allura/tests/functional/test_root.py | 2 +-
 3 files changed, 3 insertions(+), 5 deletions(-)

diff --git a/Allura/allura/controllers/error.py 
b/Allura/allura/controllers/error.py
index ae1f8a533..759d8e017 100644
--- a/Allura/allura/controllers/error.py
+++ b/Allura/allura/controllers/error.py
@@ -31,8 +31,6 @@ class ErrorController:
         code = -1
         if resp:
             code = resp.status_int
-        default_message = ("<p>We're sorry but we weren't able to process "
-                           " this request.</p>")
+        default_message = "We're sorry but we weren't able to process this 
request."
         message = request.environ.get('error_message', default_message)
-        message += '<pre>%r</pre>' % resp
         return dict(code=code, message=message)
diff --git a/Allura/allura/templates/error.html 
b/Allura/allura/templates/error.html
index 3bfacc957..1495040db 100644
--- a/Allura/allura/templates/error.html
+++ b/Allura/allura/templates/error.html
@@ -24,5 +24,5 @@
 {% block header %}Error {{code}}{% endblock %}
 
 {% block content %}
-  {{message|safe}}
+  <p>{{message}}</p>
 {% endblock %}
diff --git a/Allura/allura/tests/functional/test_root.py 
b/Allura/allura/tests/functional/test_root.py
index a69dbf550..48921d48d 100644
--- a/Allura/allura/tests/functional/test_root.py
+++ b/Allura/allura/tests/functional/test_root.py
@@ -203,7 +203,7 @@ class TestRootController(TestController):
     def test_error_page(self):
         # hard to force a real error (esp. with middleware debugging being 
different for tests) but we can hit direct:
         r = self.app.get('/error/document')
-        r.mustcontain("We're sorry but we weren't able to process")
+        r.mustcontain("We&#39;re sorry but we weren&#39;t able to process")
 
     @mock.patch.dict(tg.config, {'csp.frame_sources_enforce': True,
                                  'csp.report_uri_enforce': 
'https://example.com/r/d/csp/enforce',

Reply via email to