Changeset 13495


Ignore:
Timestamp:
24 Nov 2015, 21:05:02 (9 years ago)
Author:
uli
Message:

Escape HTML in Logfiles when displayed in Browser.

When logfiles are displayed in datacenter, included
HTML tags should show up as tags and not be rendered
by the browser. We therefore cgi.escape logfile
contents.

Location:
main/waeup.kofa/trunk/src/waeup/kofa/browser
Files:
2 edited

Legend:

Unmodified
Added
Removed

  • main/waeup.kofa/trunk/src/waeup/kofa/browser/pages.py

    r13468 r13495  
    1919"""
    2020# XXX: All csv ops should move to a dedicated module soon
     21import cgi
    2122import unicodecsv as csv
    2223import grok
     
    17341735            return
    17351736        try:
    1736             self.result = ''.join(
    1737                 self.context.queryLogfiles(logname, query))
     1737            lines = self.context.queryLogfiles(logname, query)
     1738            self.result = ''.join([cgi.escape(line) for line in lines])
    17381739        except ValueError:
    17391740            self.flash(_('Invalid search expression.'), type='danger')

  • main/waeup.kofa/trunk/src/waeup/kofa/browser/tests/test_browser.py

    r13394 r13495  
     1# -*- coding: utf-8 -*-
    12## $Id$
    23##
     
    114115        return
    115116
     117    def test_logs_listed(self):
     118        # existing logfiles are listed in logs overview
     119        self.browser.addHeader('Authorization', 'Basic mgr:mgrpw')
     120        log_path = os.path.join(
     121            self.app['datacenter'].storage, 'logs', 'myspecial.log')
     122        with open(log_path, "a") as fd:
     123            fd.write("SOME FOO IN LOGFILE")
     124        self.browser.open(self.datacenter_path + "/logs")
     125        assert "myspecial.log" in self.browser.contents
     126
     127    def test_view_log(self):
     128        # single logfiles can be watched (with filter regexp)
     129        self.browser.addHeader('Authorization', 'Basic mgr:mgrpw')
     130        log_path = os.path.join(
     131            self.app['datacenter'].storage, 'logs', 'myspecial.log')
     132        with open(log_path, "a") as fd:
     133            fd.write("SOME FOO IN LOGFILE")
     134        self.browser.open(
     135            self.datacenter_path + "/@@show/?logname=myspecial.log&query=.*")
     136        assert "SOME FOO IN LOGFILE" in self.browser.contents
     137
     138    def test_html_in_logs_escaped(self):
     139        # HTML code in logfiles is escaped before output.
     140        self.browser.addHeader('Authorization', 'Basic mgr:mgrpw')
     141        log_path = os.path.join(
     142            self.app['datacenter'].storage, 'logs', 'myspecial.log')
     143        with open(log_path, "a") as fd:
     144            fd.write("SOME <TAG> AND ÜMLÄUTS IN LOG")
     145        self.browser.open(
     146            self.datacenter_path + "/@@show/?logname=myspecial.log&query=.*")
     147        assert "SOME &lt;TAG&gt; AND ÜMLÄUTS IN LOG" in self.browser.contents
     148
    116149    def test_file_download_delete(self):
    117150        self.browser.addHeader('Authorization', 'Basic mgr:mgrpw')
Note: See TracChangeset for help on using the changeset viewer.