1. cherrypy
  2. CherryPy

Commits

Allan Crooks  committed 0c2655b

Generate syntactically valid HTML for redirect responses for URLs with quotes in it. Fixes #1139.

  • Participants
  • Parent commits cdfb71c
  • Branches default

Comments (0)

Files changed (3)

File cherrypy/_cperror.py

View file
                 303: "This resource can be found at ",
                 307: "This resource has moved temporarily to ",
             }[status]
-            msg += "<a href='%s'>%s</a>."
-            msgs = [msg % (u, u) for u in self.urls]
+            msg += '<a href=%s>%s</a>.'
+            from xml.sax import saxutils
+            msgs = [msg % (saxutils.quoteattr(u), u) for u in self.urls]
             response.body = ntob("<br />\n".join(msgs), 'utf-8')
             # Previous code may have set C-L, so we have to reset it
             # (allow finalize to set it).

File cherrypy/test/test_core.py

View file
 
             def fragment(self, frag):
                 raise cherrypy.HTTPRedirect("/some/url#%s" % frag)
-                
+
             def url_with_quote(self):
                 raise cherrypy.HTTPRedirect("/some\"url/that'we/want")
 
 
         self.getPage("/redirect/by_code?code=300")
         self.assertMatchesBody(
-            r"<a href='(.*)somewhere%20else'>\1somewhere%20else</a>")
+            r"<a href=(['\"])(.*)somewhere%20else\1>\2somewhere%20else</a>")
         self.assertStatus(300)
 
         self.getPage("/redirect/by_code?code=301")
         self.assertMatchesBody(
-            r"<a href='(.*)somewhere%20else'>\1somewhere%20else</a>")
+            r"<a href=(['\"])(.*)somewhere%20else\1>\2somewhere%20else</a>")
         self.assertStatus(301)
 
         self.getPage("/redirect/by_code?code=302")
         self.assertMatchesBody(
-            r"<a href='(.*)somewhere%20else'>\1somewhere%20else</a>")
+            r"<a href=(['\"])(.*)somewhere%20else\1>\2somewhere%20else</a>")
         self.assertStatus(302)
 
         self.getPage("/redirect/by_code?code=303")
         self.assertMatchesBody(
-            r"<a href='(.*)somewhere%20else'>\1somewhere%20else</a>")
+            r"<a href=(['\"])(.*)somewhere%20else\1>\2somewhere%20else</a>")
         self.assertStatus(303)
 
         self.getPage("/redirect/by_code?code=307")
         self.assertMatchesBody(
-            r"<a href='(.*)somewhere%20else'>\1somewhere%20else</a>")
+            r"<a href=(['\"])(.*)somewhere%20else\1>\2somewhere%20else</a>")
         self.assertStatus(307)
 
         self.getPage("/redirect/nomodify")
         frag = "foo"
         self.getPage("/redirect/fragment/%s" % frag)
         self.assertMatchesBody(
-            r"<a href='(.*)\/some\/url\#%s'>\1\/some\/url\#%s</a>" % (
+            r"<a href=(['\"])(.*)\/some\/url\#%s\1>\2\/some\/url\#%s</a>" % (
                 frag, frag))
         loc = self.assertHeader('Location')
         assert loc.endswith("#%s" % frag)
         loc = self.assertHeader('Location')
         assert 'Set-Cookie' in loc
         self.assertNoHeader('Set-Cookie')
-        
+
         def assertValidXHTML():
             from xml.etree import ElementTree
             try:
         # do the same with a url containing quote characters.
         self.getPage("/redirect/url_with_quote")
         self.assertStatus(303)
-        assertValidXHTML()        
+        assertValidXHTML()
 
     def test_InternalRedirect(self):
         # InternalRedirect

File cherrypy/test/test_static.py

View file
         self.getPage("/docroot")
         self.assertStatus(301)
         self.assertHeader('Location', '%s/docroot/' % self.base())
-        self.assertMatchesBody("This resource .* <a href='%s/docroot/'>"
+        self.assertMatchesBody("This resource .* <a href=(['\"])%s/docroot/\\1>"
                                "%s/docroot/</a>." % (self.base(), self.base()))
 
     def test_config_errors(self):