Bug 1014870 - < and > characters in system notes cause XML parsing error
Summary: < and > characters in system notes cause XML parsing error
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Beaker
Classification: Retired
Component: web UI
Version: 0.15
Hardware: Unspecified
OS: Unspecified
urgent
urgent
Target Milestone: 0.15.1
Assignee: Dan Callaghan
QA Contact: tools-bugs
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-03 00:43 UTC by Dan Callaghan
Modified: 2018-02-06 00:41 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-10-23 06:58:16 UTC
Embargoed:

Attachments (Terms of Use)

Description Dan Callaghan 2013-10-03 00:43:00 UTC 
Description of problem:
As of Beaker 0.15, system notes are parsed as Markdown. However in default Markdown configuration, HTML tags are passed through as is (rather than being escaped). That means if a system note contains < > characters that aren't HTML, for example:

Console is available via conserver at:
console -l <user> <system_fqdn>

they will be passed through as HTML tags and then Kid will fail to parse them.

Version-Release number of selected component (if applicable):
0.15.0

How reproducible:
always

Steps to Reproduce:
1. Add a system note containing <something>

Actual results:
System page returns 500 error, stack trace is:

2013-10-03 10:23:48,188 cherrypy.msg INFO HTTP: Page handler: <bound method Root.view of <bkr.server.controllers.Root object at 0x5507590>>
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/CherryPy-2.3.0-py2.6.egg/cherrypy/_cphttptools.py", line 121, in _run
    self.main()
  File "/usr/lib/python2.6/site-packages/CherryPy-2.3.0-py2.6.egg/cherrypy/_cphttptools.py", line 264, in main
    body = page_handler(*virtual_path, **self.params)
  File "Server/bkr/server/controllers.py", line 885, in view
    return self._view_system_as_html(fqdn, **kwargs)
  File "<string>", line 3, in _view_system_as_html
  File "/usr/lib/python2.6/site-packages/turbogears/controllers.py", line 361, in expose
    *args, **kw)
  File "/Server/bkr/server/wsgi.py", line 54, in run_with_transaction_noop
    return func(*args, **kwargs)
  File "/usr/lib/python2.6/site-packages/turbogears/controllers.py", line 244, in _expose
    @abstract()
  File "<generated code>", line 0, in _expose
  File "/usr/lib/python2.6/site-packages/peak/rules/core.py", line 153, in __call__
    return self.body(*args, **kw)
  File "/usr/lib/python2.6/site-packages/turbogears/controllers.py", line 390, in <lambda>
    fragment, options, args, kw)))
  File "/usr/lib/python2.6/site-packages/turbogears/controllers.py", line 451, in _execute_func
    fragment, **options)
  File "/usr/lib/python2.6/site-packages/turbogears/controllers.py", line 100, in _process_output
    headers=headers, fragment=fragment, **options)
  File "/usr/lib/python2.6/site-packages/turbogears/view/base.py", line 203, in render
    return engine.render(**kw)
  File "/usr/lib/python2.6/site-packages/turbokid/kidsupport.py", line 220, in render
    output=output, format=format)
  File "/usr/lib/python2.6/site-packages/kid/__init__.py", line 301, in serialize
    raise_template_error(module=self.__module__)
  File "/usr/lib/python2.6/site-packages/kid/__init__.py", line 299, in serialize
    return serializer.serialize(self, encoding, fragment, format)
  File "/usr/lib/python2.6/site-packages/kid/serialization.py", line 107, in serialize
    text = ''.join(self.generate(stream, encoding, fragment, format))
  File "/usr/lib/python2.6/site-packages/kid/serialization.py", line 629, in generate
    for ev, item in self.apply_filters(stream, format):
  File "/usr/lib/python2.6/site-packages/kid/serialization.py", line 165, in format_stream
    for ev, item in stream:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 221, in _coalesce
    for ev, item in stream:
  File "/usr/lib/python2.6/site-packages/kid/serialization.py", line 477, in inject_meta_tags
    for ev, item in stream:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 179, in _track
    for p in stream:
  File "/usr/lib/python2.6/site-packages/kid/filter.py", line 32, in apply_matches
    item = stream.expand()
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 108, in expand
    for ev, item in self._iter:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 179, in _track
    for p in stream:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 221, in _coalesce
    for ev, item in stream:
  File "/home/dcallagh/work/beaker/Server/bkr/server/templates/system.py", line 407, in _pull
  File "/usr/lib/python2.6/site-packages/turbogears/widgets/meta.py", line 99, in lockwidget
    output = self.__class__.display(self, *args, **kw)
  File "/usr/lib/python2.6/site-packages/turbogears/widgets/base.py", line 401, in display
    return super(CompoundWidget, self).display(value, **params)
  File "/usr/lib/python2.6/site-packages/turbogears/widgets/forms.py", line 48, in _update_path
    returnval = func(self, *args, **kw)
  File "/usr/lib/python2.6/site-packages/turbogears/widgets/forms.py", line 232, in display
    return super(InputWidget, self).display(value, **params)
  File "/usr/lib/python2.6/site-packages/turbogears/widgets/base.py", line 297, in display
    output = transform(params, self.template_c)
  File "/usr/lib/python2.6/site-packages/turbokid/kidsupport.py", line 234, in transform
    return kid.ElementStream(template.transform()).expand()
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 108, in expand
    for ev, item in self._iter:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 179, in _track
    for p in stream:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 179, in _track
    for p in stream:
  File "/usr/lib/python2.6/site-packages/kid/filter.py", line 26, in apply_matches
    for ev, item in stream:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 179, in _track
    for p in stream:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 221, in _coalesce
    for ev, item in stream:
  File "Server/bkr/server/templates/system_notes.py", line 141, in _pull
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 179, in _track
    for p in stream:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 130, in strip
    for ev, item in self._iter:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 179, in _track
    for p in stream:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 221, in _coalesce
    for ev, item in stream:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 393, in __iter__
    for ev, stuff in self._expat_stream():
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 372, in _expat_stream
    feed(data)
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 434, in feed
    raise expat.ExpatError(e)
ExpatError: Error parsing XML:
console -l <user>
                                                                        ^
mismatched tag: line 2, column 72
Error location in template file 'Server/bkr/server/templates/system.kid'
between line 93, column 3 and line 94, column 3:
   </div>

Expected results:
< and > characters should be escaped (no raw HTML pass-through permitted in system notes).

Additional info:
Need to set safe_mode='escape': http://pythonhosted.org/Markdown/reference.html#safe_mode
Comment 1 Dan Callaghan 2013-10-03 00:59:42 UTC 
On Gerrit: http://gerrit.beaker-project.org/2324
Comment 2 Amit Saha 2013-10-03 01:28:58 UTC 
Something for the future: https://github.com/waylan/Python-Markdown/issues/214
Comment 4 wangjing 2013-10-08 05:38:07 UTC 
verified on beaker-devel Version 0.15.0(2013-10-8)-->pass

Steps:
1. Add a system note containing <something>

Actual results:
same as expected results.

Expected results:
no Xml parsing error happens.
Comment 7 Raymond Mancy 2013-10-23 06:58:16 UTC 
beaker 0.15.1 has been released.
Note You need to log in before you can comment on or make changes to this bug.