[PATCH] error messages: quote HTML, shorten backtrace

Mon, 30 Jul 2012 13:44:24 -0700 

From: David Lutterkort <lut...@redhat.com>

  * Special characters like &, <, and > need to be escaped in error messages
  * In the backtrace in error messages, only show paths in deltacloud itself;
    the full backtrace is still in the error details secion of the page
---
 server/lib/deltacloud/helpers/deltacloud_helper.rb |   11 +++++++++++
 server/views/errors/500.html.haml                  |   11 +++++++----
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/server/lib/deltacloud/helpers/deltacloud_helper.rb 
b/server/lib/deltacloud/helpers/deltacloud_helper.rb
index 799478e..df23cea 100644
--- a/server/lib/deltacloud/helpers/deltacloud_helper.rb
+++ b/server/lib/deltacloud/helpers/deltacloud_helper.rb
@@ -288,6 +288,17 @@ module Deltacloud::Helpers
       not features_arr.empty?
     end
 
+    HTML_ESCAPE = { '&' => '&amp;',  '>' => '&gt;',   '<' => '&lt;', '"' => 
'&quot;' }
+
+    def h(s)
+      s.to_s.gsub(/[&"><]/n) { |special| HTML_ESCAPE[special] }
+    end
+
+    def bt(trace)
+      app_path = File::expand_path("../../..", __FILE__)
+      trace.select { |t| t.match(%r{^#{app_path}}) }.join("\n")
+    end
+
     private
     def hardware_property_unit(prop)
       u = ::Deltacloud::HardwareProfile::unit(prop)
diff --git a/server/views/errors/500.html.haml 
b/server/views/errors/500.html.haml
index 19cf090..1b04a21 100644
--- a/server/views/errors/500.html.haml
+++ b/server/views/errors/500.html.haml
@@ -2,7 +2,7 @@
   %ul{ :'data-role' => :listview , :'data-inset' => :true, 
:'data-divider-theme' => 'e'}
     %li{ :'data-role' => 'list-divider'} Server message
     %li
-      %h3=[@error.class.name, @error.message].join(' - ')
+      %h3= h [@error.class.name, @error.message].join(' - ')
     %li{ :'data-role' => 'list-divider'} Original request URI
     %li
       %a{ :href => request.env['REQUEST_URI'], :'data-ajax' => 'false'}
@@ -11,15 +11,18 @@
     %li{ :'data-role' => 'list-divider'} Error details
     %li
       - if @error.class.method_defined? :details
-        %p= @error.details
+        %p= h @error.details
       - else
         %em No details
+    %li{ :'data-role' => 'list-divider'} Backtrace
+    %li
+      %pre= bt @error.backtrace
 
   %div{ 'data-role' => :collapsible, 'data-collapsed' => "true"}
     %h3 Backtrace
     %ul{ :'data-role' => :listview , :'data-inset' => :true, 
:'data-divider-theme' => 'e'}
       %li
-        %pre=@error.backtrace.join("\n")
+        %pre= h @error.backtrace.join("\n")
 
   %div{ 'data-role' => :collapsible, 'data-collapsed' => "true"}
     %h3 Parameters
@@ -40,4 +43,4 @@
         - next if value.inspect.to_s == '#'
         %li{ :'data-role' => 'list-divider'}=key
         %li
-          %span{:style => 'font-weight:normal;'}=value.inspect
+          %span{:style => 'font-weight:normal;'}= h value.inspect
-- 
1.7.7.6

Reply via email to