#3609 new defect

Manual quoting/escaping is scattered ad hoc throughout the web code

Reported by: exarkun Owned by:
Priority: normal Milestone: undecided
Component: code-frontend-web Version: n/a
Keywords: wui Cc:
Launchpad Bug:


Consider https://github.com/tahoe-lafs/tahoe-lafs/blob/master/src/allmydata/web/check_results.py#L435

It is a testament to someone's diligence that the name is being quoted using html.escape here. However, relying on diligence for every such occurrence is an unreliable strategy for producing correct, *safe* html output.

These cases should be handled automatically, systematically, and probably centrally in some part of the html generation library (twisted.web.template or our layer on top of it).

Change History (0)

Note: See TracTickets for help on using tickets.