Mercurial > p > roundup > code

annotate roundup/anypy/html.py @ 8356:63390dcfcfe9

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
bug: fix template use of structure with untrusted data Looks like an xSS bug with an early version of the template that was fixed in the code but never in the deployed tracker. It has been a while since this particular construct has been in the classic template which is the base for the tracker. This has been fixed on the deployed tracker as well. reported by 4bug of ChaMd5 Security Team H1 Group
author John Rouillard <rouilj@ieee.org>
date Tue, 08 Jul 2025 10:23:09 -0400
parents 7f888f046857
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
5837
883c9e90b403 Fix problem with cgi.escape being depricated a different way. This way
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
1 try:
6027
ff57db595a58 flake8 cleanups whitespace formatting only.
John Rouillard <rouilj@ieee.org>
parents: 5837
diff changeset
2 from html import escape as html_escape_ # python 3
ff57db595a58 flake8 cleanups whitespace formatting only.
John Rouillard <rouilj@ieee.org>
parents: 5837
diff changeset
3
7769
7f888f046857 chore: ruff lint: replace str variable name with string
John Rouillard <rouilj@ieee.org>
parents: 6027
diff changeset
4 def html_escape(string, quote=False):
5837
883c9e90b403 Fix problem with cgi.escape being depricated a different way. This way
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
5 # html_escape under python 3 sets quote to true by default
883c9e90b403 Fix problem with cgi.escape being depricated a different way. This way
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
6 # make it python 2 compatible
7769
7f888f046857 chore: ruff lint: replace str variable name with string
John Rouillard <rouilj@ieee.org>
parents: 6027
diff changeset
7 return html_escape_(string, quote=quote)
5837
883c9e90b403 Fix problem with cgi.escape being depricated a different way. This way
John Rouillard <rouilj@ieee.org>
parents:
diff changeset
8 except ImportError:
6027
ff57db595a58 flake8 cleanups whitespace formatting only.
John Rouillard <rouilj@ieee.org>
parents: 5837
diff changeset
9 # python 2 fallback
ff57db595a58 flake8 cleanups whitespace formatting only.
John Rouillard <rouilj@ieee.org>
parents: 5837
diff changeset
10 from cgi import escape as html_escape # noqa: F401
Roundup Issue Tracker: http://roundup-tracker.org/