Better fix, with test, for error-during-standard_error_message with tainted error_value.

lib/python/OFS/SimpleItem.py

@@ -25,7 +25,6 @@ import marshal, re, sys, time
 import Globals, App.Management, Acquisition, App.Undo
 import AccessControl.Role, AccessControl.Owned, App.Common
 from webdav.Resource import Resource
-from webdav.xmltools import escape as xml_escape
 from ExtensionClass import Base
 from ComputedAttribute import ComputedAttribute
 from AccessControl import getSecurityManager, Unauthorized
@@ -218,7 +217,7 @@ class Item(Base, Resource, CopySource, App.Management.Tabs, Traversable,
                     exc_info=True
                     )
                 try:
-                    strv = str(error_value)
+                    strv = repr(error_value) # quotes tainted strings
                 except:
                     strv = ('<unprintable %s object>' % 
                             str(type(error_value).__name__))
@@ -228,7 +227,6 @@ class Item(Base, Resource, CopySource, App.Management.Tabs, Traversable,
                      "event log for full details: %s)")%(
                     html_quote(sys.exc_info()[1]),
                     ))
-            v = xml_escape(v)
             raise error_type, v, tb
         finally:
             if hasattr(self, '_v_eek'): del self._v_eek

lib/python/OFS/tests/test_SimpleItem.py

+import unittest
+
+class ItemTests(unittest.TestCase):
+
+    def _getTargetClass(self):
+        from OFS.SimpleItem import Item
+        return Item
+
+    def _makeOne(self, *args, **kw):
+        return self._getTargetClass()(*args, **kw)
+
+    def test_raise_StandardErrorMessage_str_errorValue(self):
+        item = self._makeOne()
+        def _raise_during_standard_error_message(*args, **kw):
+            raise ZeroDivisionError('testing')
+        item.standard_error_message = _raise_during_standard_error_message
+        try:
+            item.raise_standardErrorMessage(
+                            error_type=OverflowError,
+                            error_value='simple',
+                            REQUEST={'dummy': ''},
+                            )
+        except:
+            import sys
+            self.assertEqual(sys.exc_info()[0], 'OverflowError')
+            value = sys.exc_info()[1]
+            self.failUnless(value.startswith("'simple'"))
+            self.failUnless('full details: testing' in value)
+
+    def test_raise_StandardErrorMessage_TaintedString_errorValue(self):
+        from ZPublisher.TaintedString import TaintedString
+        item = self._makeOne()
+        def _raise_during_standard_error_message(*args, **kw):
+            raise ZeroDivisionError('testing')
+        item.standard_error_message = _raise_during_standard_error_message
+        try:
+            item.raise_standardErrorMessage(
+                            error_type=OverflowError,
+                            error_value=TaintedString('<simple>'),
+                            REQUEST={'dummy': ''},
+                            )
+        except:
+            import sys
+            self.assertEqual(sys.exc_info()[0], 'OverflowError')
+            value = sys.exc_info()[1]
+            self.failIf('<' in value)
+
+def test_suite():
+    return unittest.TestSuite((
+        unittest.makeSuite(ItemTests),
+        ))