Opened 14 years ago
Closed 14 years ago
#14125 closed (duplicate)
'Safe strings' are not force-escaped on development 500 page
| Reported by: | Elijah Rutschman | Owned by: | Elijah Rutschman |
|---|---|---|---|
| Component: | Uncategorized | Version: | dev |
| Severity: | Keywords: | debug.py 500 escape | |
| Cc: | Triage Stage: | Design decision needed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | yes | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
In the 'Local vars' section of the debugging 500 error page, strings that have been 'marked safe' are not escaped before output, which has often resulted in HTML from my variables being inserted into the page.
While using 'mark_safe' on a string variable indicates that the string should not be escaped further, I think an exception should be made for the debugging 500 page, based on my assumption that most developers would rather see a string's value than the resultant HTML elements.
I have attached a patch that uses 'force_escape' in lieu of 'escape'.
Attachments (1)
Change History (5)
by , 14 years ago
| Attachment: | debug.py.diff added |
|---|
comment:1 by , 14 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 14 years ago
| Needs tests: | set |
|---|---|
| Triage Stage: | Unreviewed → Accepted |
comment:3 by , 14 years ago
| Triage Stage: | Accepted → Design decision needed |
|---|
Note:
See TracTickets
for help on using tickets.
Force escape 'Local vars' output on debug page