Marius Gedminas avatar Marius Gedminas committed 30575d0

Make sure we HTML-escape everything.

There was missing HTML-escaping in the truncated long message case.

Comments (0)

Files changed (2)

         """ = app
         tmpl_dir = os.path.join(here_dir, 'templates')
-        self.mako = TemplateLookup(directories=[tmpl_dir])
+        self.mako = TemplateLookup(directories=[tmpl_dir],
+                                   default_filters=['h'])
         self.log_colors = {}
         for key, val in itertools.chain(config.iteritems(),


                         <span style="cursor: pointer; text-decoration: underline;" onclick="javascript:DLV.show_span(${id(event)})">${first}</span>\
 <span style="display:inline;" id="${id(event)}_extra"> ... </span><span id="${id(event)}" style="display:none">${middle}</span>${last}
                     % else:
-                        ${msg | h}\
+                        ${msg}\
                     % endif
                     % if hasattr(event, 'traceback'):
                     <span style="float: right; cursor: pointer; text-decoration: underline; margin-left: 6px;" onclick="javascript:DLV.show_block('${'tb%s' % id(event)}')">TB</span>
