diff options
| author | Ian Bicking <ianb@colorstudy.com> | 2010-06-15 12:30:05 -0500 |
|---|---|---|
| committer | Ian Bicking <ianb@colorstudy.com> | 2010-06-15 12:30:05 -0500 |
| commit | bde24c75563bee1f86eec96ec2bd9adac5b71e29 (patch) | |
| tree | f9218976db1cfeccafb04a91fa75864aa2b7de2e /paste/httpexceptions.py | |
| parent | 15e51654e469e87a6974e46969e8ec1295937f96 (diff) | |
| download | paste-bde24c75563bee1f86eec96ec2bd9adac5b71e29.tar.gz | |
Fix XSS attacks as reported by Tim Wintle
Diffstat (limited to 'paste/httpexceptions.py')
| -rw-r--r-- | paste/httpexceptions.py | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/paste/httpexceptions.py b/paste/httpexceptions.py index 8e2f81c..208d5cf 100644 --- a/paste/httpexceptions.py +++ b/paste/httpexceptions.py @@ -77,7 +77,7 @@ import types from paste.wsgilib import catch_errors_app from paste.response import has_header, header_value, replace_header from paste.request import resolve_relative_url -from paste.util.quoting import strip_html, html_quote, no_quote +from paste.util.quoting import strip_html, html_quote, no_quote, comment_quote SERVER_NAME = 'WSGI Server' TEMPLATE = """\ @@ -212,12 +212,12 @@ class HTTPException(Exception): def plain(self, environ): """ text/plain representation of the exception """ - body = self.make_body(environ, strip_html(self.template), no_quote) + body = self.make_body(environ, strip_html(self.template), comment_quote) return ('%s %s\r\n%s\r\n' % (self.code, self.title, body)) def html(self, environ): """ text/html representation of the exception """ - body = self.make_body(environ, self.template, html_quote, no_quote) + body = self.make_body(environ, self.template, html_quote, comment_quote) return TEMPLATE % { 'title': self.title, 'code': self.code, @@ -334,14 +334,14 @@ class _HTTPMove(HTTPRedirection): def relative_redirect(cls, dest_uri, environ, detail=None, headers=None, comment=None): """ - Create a redirect object with the dest_uri, which may be relative, + Create a redirect object with the dest_uri, which may be relative, considering it relative to the uri implied by the given environ. """ location = resolve_relative_url(dest_uri, environ) headers = headers or [] headers.append(('Location', location)) return cls(detail=detail, headers=headers, comment=comment) - + relative_redirect = classmethod(relative_redirect) def location(self): @@ -658,4 +658,3 @@ def make_middleware(app, global_conf=None, warning_level=None): return HTTPExceptionHandler(app, warning_level=warning_level) __all__.extend(['HTTPExceptionHandler', 'get_exception']) - |