[tahoe-lafs-trac-stream] [Tahoe-LAFS] #3609: Manual quoting/escaping is scattered ad hoc throughout the web code
Tahoe-LAFS
trac at tahoe-lafs.org
Wed Feb 10 16:31:23 UTC 2021
#3609: Manual quoting/escaping is scattered ad hoc throughout the web code
-------------------------------+---------------------------
Reporter: exarkun | Owner:
Type: defect | Status: new
Priority: normal | Milestone: undecided
Component: code-frontend-web | Version: n/a
Keywords: wui | Launchpad Bug:
-------------------------------+---------------------------
Consider https://github.com/tahoe-lafs/tahoe-
lafs/blob/master/src/allmydata/web/check_results.py#L435
It is a testament to someone's diligence that the name is being quoted
using `html.escape` here. However, relying on diligence for every such
occurrence is an unreliable strategy for producing correct, *safe* html
output.
These cases should be handled automatically, systematically, and probably
centrally in some part of the html generation library
(twisted.web.template or our layer on top of it).
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/3609>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list