Manual quoting/escaping is scattered ad hoc throughout the web code #3609

Open
opened 2021-02-10 16:31:23 +00:00 by exarkun · 0 comments

Consider https://github.com/tahoe-lafs/tahoe-lafs/blob/master/src/allmydata/web/check_results.py#L435

It is a testament to someone's diligence that the name is being quoted using html.escape here. However, relying on diligence for every such occurrence is an unreliable strategy for producing correct, safe html output.

These cases should be handled automatically, systematically, and probably centrally in some part of the html generation library (twisted.web.template or our layer on top of it).

Consider <https://github.com/tahoe-lafs/tahoe-lafs/blob/master/src/allmydata/web/check_results.py#L435> It is a testament to someone's diligence that the name is being quoted using `html.escape` here. However, relying on diligence for every such occurrence is an unreliable strategy for producing correct, *safe* html output. These cases should be handled automatically, systematically, and probably centrally in some part of the html generation library (twisted.web.template or our layer on top of it).
exarkun added the
code-frontend-web
normal
defect
n/a
labels 2021-02-10 16:31:23 +00:00
exarkun added this to the undecided milestone 2021-02-10 16:31:23 +00:00
Sign in to join this conversation.
No Milestone
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Reference: tahoe-lafs/trac-2024-07-25#3609
No description provided.