Bug 1014870 - < and > characters in system notes cause XML parsing error
< and > characters in system notes cause XML parsing error
Status: CLOSED CURRENTRELEASE
Product: Beaker
Classification: Community
Component: web UI (Show other bugs)
0.15
Unspecified Unspecified
urgent Severity urgent (vote)
: 0.15.1
: ---
Assigned To: Dan Callaghan
tools-bugs
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-02 20:43 EDT by Dan Callaghan
Modified: 2013-10-23 02:58 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-23 02:58:16 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dan Callaghan 2013-10-02 20:43:00 EDT
Description of problem:
As of Beaker 0.15, system notes are parsed as Markdown. However in default Markdown configuration, HTML tags are passed through as is (rather than being escaped). That means if a system note contains < > characters that aren't HTML, for example:

Console is available via conserver at:
console -l <user> <system_fqdn>

they will be passed through as HTML tags and then Kid will fail to parse them.

Version-Release number of selected component (if applicable):
0.15.0

How reproducible:
always

Steps to Reproduce:
1. Add a system note containing <something>

Actual results:
System page returns 500 error, stack trace is:

2013-10-03 10:23:48,188 cherrypy.msg INFO HTTP: Page handler: <bound method Root.view of <bkr.server.controllers.Root object at 0x5507590>>
Traceback (most recent call last):
  File "/usr/lib/python2.6/site-packages/CherryPy-2.3.0-py2.6.egg/cherrypy/_cphttptools.py", line 121, in _run
    self.main()
  File "/usr/lib/python2.6/site-packages/CherryPy-2.3.0-py2.6.egg/cherrypy/_cphttptools.py", line 264, in main
    body = page_handler(*virtual_path, **self.params)
  File "Server/bkr/server/controllers.py", line 885, in view
    return self._view_system_as_html(fqdn, **kwargs)
  File "<string>", line 3, in _view_system_as_html
  File "/usr/lib/python2.6/site-packages/turbogears/controllers.py", line 361, in expose
    *args, **kw)
  File "/Server/bkr/server/wsgi.py", line 54, in run_with_transaction_noop
    return func(*args, **kwargs)
  File "/usr/lib/python2.6/site-packages/turbogears/controllers.py", line 244, in _expose
    @abstract()
  File "<generated code>", line 0, in _expose
  File "/usr/lib/python2.6/site-packages/peak/rules/core.py", line 153, in __call__
    return self.body(*args, **kw)
  File "/usr/lib/python2.6/site-packages/turbogears/controllers.py", line 390, in <lambda>
    fragment, options, args, kw)))
  File "/usr/lib/python2.6/site-packages/turbogears/controllers.py", line 451, in _execute_func
    fragment, **options)
  File "/usr/lib/python2.6/site-packages/turbogears/controllers.py", line 100, in _process_output
    headers=headers, fragment=fragment, **options)
  File "/usr/lib/python2.6/site-packages/turbogears/view/base.py", line 203, in render
    return engine.render(**kw)
  File "/usr/lib/python2.6/site-packages/turbokid/kidsupport.py", line 220, in render
    output=output, format=format)
  File "/usr/lib/python2.6/site-packages/kid/__init__.py", line 301, in serialize
    raise_template_error(module=self.__module__)
  File "/usr/lib/python2.6/site-packages/kid/__init__.py", line 299, in serialize
    return serializer.serialize(self, encoding, fragment, format)
  File "/usr/lib/python2.6/site-packages/kid/serialization.py", line 107, in serialize
    text = ''.join(self.generate(stream, encoding, fragment, format))
  File "/usr/lib/python2.6/site-packages/kid/serialization.py", line 629, in generate
    for ev, item in self.apply_filters(stream, format):
  File "/usr/lib/python2.6/site-packages/kid/serialization.py", line 165, in format_stream
    for ev, item in stream:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 221, in _coalesce
    for ev, item in stream:
  File "/usr/lib/python2.6/site-packages/kid/serialization.py", line 477, in inject_meta_tags
    for ev, item in stream:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 179, in _track
    for p in stream:
  File "/usr/lib/python2.6/site-packages/kid/filter.py", line 32, in apply_matches
    item = stream.expand()
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 108, in expand
    for ev, item in self._iter:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 179, in _track
    for p in stream:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 221, in _coalesce
    for ev, item in stream:
  File "/home/dcallagh/work/beaker/Server/bkr/server/templates/system.py", line 407, in _pull
  File "/usr/lib/python2.6/site-packages/turbogears/widgets/meta.py", line 99, in lockwidget
    output = self.__class__.display(self, *args, **kw)
  File "/usr/lib/python2.6/site-packages/turbogears/widgets/base.py", line 401, in display
    return super(CompoundWidget, self).display(value, **params)
  File "/usr/lib/python2.6/site-packages/turbogears/widgets/forms.py", line 48, in _update_path
    returnval = func(self, *args, **kw)
  File "/usr/lib/python2.6/site-packages/turbogears/widgets/forms.py", line 232, in display
    return super(InputWidget, self).display(value, **params)
  File "/usr/lib/python2.6/site-packages/turbogears/widgets/base.py", line 297, in display
    output = transform(params, self.template_c)
  File "/usr/lib/python2.6/site-packages/turbokid/kidsupport.py", line 234, in transform
    return kid.ElementStream(template.transform()).expand()
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 108, in expand
    for ev, item in self._iter:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 179, in _track
    for p in stream:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 179, in _track
    for p in stream:
  File "/usr/lib/python2.6/site-packages/kid/filter.py", line 26, in apply_matches
    for ev, item in stream:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 179, in _track
    for p in stream:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 221, in _coalesce
    for ev, item in stream:
  File "Server/bkr/server/templates/system_notes.py", line 141, in _pull
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 179, in _track
    for p in stream:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 130, in strip
    for ev, item in self._iter:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 179, in _track
    for p in stream:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 221, in _coalesce
    for ev, item in stream:
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 393, in __iter__
    for ev, stuff in self._expat_stream():
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 372, in _expat_stream
    feed(data)
  File "/usr/lib/python2.6/site-packages/kid/parser.py", line 434, in feed
    raise expat.ExpatError(e)
ExpatError: Error parsing XML:
console -l <user>
                                                                        ^
mismatched tag: line 2, column 72
Error location in template file 'Server/bkr/server/templates/system.kid'
between line 93, column 3 and line 94, column 3:
   </div>

Expected results:
< and > characters should be escaped (no raw HTML pass-through permitted in system notes).

Additional info:
Need to set safe_mode='escape': http://pythonhosted.org/Markdown/reference.html#safe_mode
Comment 1 Dan Callaghan 2013-10-02 20:59:42 EDT
On Gerrit: http://gerrit.beaker-project.org/2324
Comment 2 Amit Saha 2013-10-02 21:28:58 EDT
Something for the future: https://github.com/waylan/Python-Markdown/issues/214
Comment 4 wangjing 2013-10-08 01:38:07 EDT
verified on beaker-devel Version 0.15.0(2013-10-8)-->pass

Steps:
1. Add a system note containing <something>

Actual results:
same as expected results.

Expected results:
no Xml parsing error happens.
Comment 7 Raymond Mancy 2013-10-23 02:58:16 EDT
beaker 0.15.1 has been released.

Note You need to log in before you can comment on or make changes to this bug.