Ian Bicking avatar Ian Bicking committed 49e69bf

Just a bit more paranoia in quoting comments, though I wasn't able to reproduce any actual issue

Comments (0)

Files changed (4)

   :class:`paste.urlparser.StaticURLParser` and
   :class:`paste.urlmap.URLMap`.  If you ask for a path with
   ``/--><script>...`` that will be inserted in the error page and can
-  execute Javascript.  Reported by Tim Wintle.
+  execute Javascript.  Reported by Tim Wintle with further details
+  from Georg-Christian Pranschke.
 * Replaced :func:`paste.util.mimeparse.desired_match`


     def plain(self, environ):
         """ text/plain representation of the exception """
-        body = self.make_body(environ, strip_html(self.template), comment_quote)
+        body = self.make_body(environ, strip_html(self.template), no_quote, comment_quote)
         return ('%s %s\r\n%s\r\n' % (self.code, self.title, body))
     def html(self, environ):


     return s
 _comment_quote_re = re.compile(r'\-\s*\>')
+# Everything but \r, \n, \t:
+_bad_chars_re = re.compile('[\x00-\x08\x0b-\x0c\x0e-\x1f]')
 def comment_quote(s):
     Quote that makes sure text can't escape a comment
-    return _comment_quote_re.sub('-&gt', str(s))
+    comment = str(s)
+    #comment = _bad_chars_re.sub('', comment)
+    #print 'in ', repr(str(s))
+    #print 'out', repr(comment)
+    comment = _comment_quote_re.sub('-&gt;', comment)
+    return comment
 url_quote = urllib.quote
 url_unquote = urllib.unquote


     app = TestApp(mapper, extra_environ={'HTTP_ACCEPT': 'text/html'})
     res = app.get("/-->%0D<script>alert('xss')</script>", status=404)
     assert '--><script' not in res.body
+    res = app.get("/--%01><script>", status=404)
+    assert '--\x01><script>' not in res.body
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.