- LP #491224: proper escaping of rendered error message

f07df416 · Andreas Jung · ad2ff265 · f07df416 · f07df416
Commit f07df416 authored Jan 11, 2010 by Andreas Jung
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

doc/CHANGES.txt doc/CHANGES.txt +2 -0

lib/python/OFS/SimpleItem.py lib/python/OFS/SimpleItem.py +3 -0

No files found.
--- a/doc/CHANGES.txt
+++ b/doc/CHANGES.txt
@@ -8,6 +8,8 @@ Zope Changes
    Bugs fixed
+      - LP #491224: proper escaping of rendered error message
      - Also look for ZEXP imports within the clienthome directory. This
        provides a place to put imports that won't be clobbered by buildout
        in a buildout-based Zope instance.

--- a/lib/python/OFS/SimpleItem.py
+++ b/lib/python/OFS/SimpleItem.py
@@ -36,6 +36,7 @@ from DocumentTemplate.html_quote import html_quote
 from DocumentTemplate.ustr import ustr
 from ExtensionClass import Base
 from webdav.Resource import Resource
+from webdav.xmltools import escape as xml_escape
 from zExceptions import Redirect
 from zExceptions.ExceptionFormatter import format_exception
 from zope.interface import implements
@@ -228,6 +229,7 @@ class Item(Base, Resource, CopySource, App.Management.Tabs, Traversable,
                else:
                    v = HTML.__call__(s, client, REQUEST, **kwargs)
            except:
                logger.error(
                    'Exception while rendering an error message',
                    exc_info=True
@@ -243,6 +245,7 @@ class Item(Base, Resource, CopySource, App.Management.Tabs, Traversable,
                     "event log for full details: %s)")%(
                    html_quote(sys.exc_info()[1]),
                    ))
+            v = xml_escape(v)
            raise error_type, v, tb
        finally:
            if hasattr(self, '_v_eek'): del self._v_eek