[Deluge] #2702: markup like
in torrent comments -> harmless? error message

Tue, 25 Nov 2014 18:38:24 -0800 

#2702: markup like <br/> in torrent comments -> harmless? error message
------------------------------------+---------------------------
 Reporter:  pcordes                 |      Owner:
     Type:  bug                     |     Status:  new
 Priority:  minor                   |  Milestone:  Future
Component:  GTK-UI                  |    Version:  develop (git)
 Keywords:  security comments html  |
------------------------------------+---------------------------
 deluge 1.4.0.dev366 (git 1e75b7bd1269d9d374652e917e9522749d0e5a56) on
 Ubuntu 14.04.  (libgtk-3-0 version 3.10.8)

 With a torrent with a <br/> in its comment field, switching to the details
 tab (or covering / uncovering the window, so GTK redraws it) leads to a
 warning about an unknown tag.  And the comment field in the details tab
 shows as empty.

 switching to the tab:
 /usr/local/lib/python2.7/dist-
 packages/deluge-1.4.0.dev366-py2.7.egg/deluge/ui/gtkui/details_tab.py:100:
 GtkWarning: Failed to set text from markup due to error parsing markup:
 Unknown tag 'br' on line 1 char 51
   widget[0].set_markup(txt.replace('&', '&amp;'))

 When uncovering the window triggered the redraw:
 /usr/lib/python2.7/dist-packages/twisted/internet/_glibbase.py:309:
 GtkWarning: Failed to set text from markup due to error parsing markup:
 Unknown tag 'br' on line 1 char 51
   self._run()

 There's some caching somewhere, so you don't get the error repeatedly when
 flipping back and forth.

 Better behaviour might to to escape or quote or whatever is needed, so
 text from the torrent is just displayed literally without being fed to
 anything that's going to try to parse it as markup.  Apparently some
 torrents are out there with HTML newlines in their comments, so it would
 be better to display the raw HTML than to throw an error and display
 nothing.

 Also better for security reasons to not feed un-treated data into
 something that might choke on it, unless set_markup is supposed to be able
 to handle potentially hostile data without risk.

-- 
Ticket URL: <http://dev.deluge-torrent.org/ticket/2702>
Deluge <http://deluge-torrent.org/>
Deluge Project

-- 
You received this message because you are subscribed to the Google Groups 
"Deluge Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/deluge-dev.
For more options, visit https://groups.google.com/d/optout.

Reply via email to