[OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >

[Changqing Li]

ping

On 11/12/19 4:32 PM, changqing.li at windriver.com wrote:
> From: Changqing Li <changqing.li at windriver.com>
>
> when we have below content in local.conf or auto.conf:
> BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem at gmail.com>"
> send-error-report will fail with "HTTP Error 500: OK"
>
> error-report-web do rudimentary check on all fields that are
> passed to the graphs page to avoid any XSS happening, if contains
> '<', the server will return error(Invalid characters in json).
> fixed by use escape of <> to replace it.
>
> NOTE: with this change, error-report-web need to add filter 'safe'
> for the string wanted to display to avoid further HTML escaping
> prior to output. Below is how the content displayed on webpage:
> with the filter 'safe':
> BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem at gmail.com>"
> without the filter 'safe':
> BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj &lt;raj.khem at gmail.com&gt;"
>
> Another patch for error-report-web will send to yocto mail list.
>
> [YOCTO #13252]
>
> Signed-off-by: Changqing Li <changqing.li at windriver.com>
> ---
>   meta/classes/report-error.bbclass | 1 +
>   1 file changed, 1 insertion(+)
>
> diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-error.bbclass
> index 1a12db1..6046867 100644
> --- a/meta/classes/report-error.bbclass
> +++ b/meta/classes/report-error.bbclass
> @@ -36,6 +36,7 @@ def get_conf_data(e, filename):
>                       continue
>                   else:
>                       jsonstring=jsonstring + line
> +    jsonstring = jsonstring.replace("<", "&lt;").replace(">", "&gt;")
>       return jsonstring
>   
>   python errorreport_handler () {