Opened at 2021-02-10T16:31:23Z
#3609 new defect
Manual quoting/escaping is scattered ad hoc throughout the web code
| Reported by: | exarkun | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | undecided |
| Component: | code-frontend-web | Version: | n/a |
| Keywords: | wui | Cc: | |
| Launchpad Bug: |
Description
Consider https://github.com/tahoe-lafs/tahoe-lafs/blob/master/src/allmydata/web/check_results.py#L435
It is a testament to someone's diligence that the name is being quoted using html.escape here. However, relying on diligence for every such occurrence is an unreliable strategy for producing correct, *safe* html output.
These cases should be handled automatically, systematically, and probably centrally in some part of the html generation library (twisted.web.template or our layer on top of it).
Note: See
TracTickets for help on using
tickets.
