[OE-core] [PATCH] report-error.bbclass: replace angle brackets with < and >

[Richard Purdie]

On Wed, 2019-12-04 at 08:25 +0800, Changqing Li wrote:
> ping

There was a reply from Paul Eggleton about the server side of this
patch, were those issues addressed?

Cheers,

Richard

> On 11/12/19 4:32 PM, changqing.li at windriver.com wrote:
> > From: Changqing Li <changqing.li at windriver.com>
> > 
> > when we have below content in local.conf or auto.conf:
> > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem at gmail.com>"
> > send-error-report will fail with "HTTP Error 500: OK"
> > 
> > error-report-web do rudimentary check on all fields that are
> > passed to the graphs page to avoid any XSS happening, if contains
> > '<', the server will return error(Invalid characters in json).
> > fixed by use escape of <> to replace it.
> > 
> > NOTE: with this change, error-report-web need to add filter 'safe'
> > for the string wanted to display to avoid further HTML escaping
> > prior to output. Below is how the content displayed on webpage:
> > with the filter 'safe':
> > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem at gmail.com>"
> > without the filter 'safe':
> > BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj &lt;raj.khem at gmail.com&gt;"
> > 
> > Another patch for error-report-web will send to yocto mail list.
> > 
> > [YOCTO #13252]
> > 
> > Signed-off-by: Changqing Li <changqing.li at windriver.com>
> > ---
> >   meta/classes/report-error.bbclass | 1 +
> >   1 file changed, 1 insertion(+)
> > 
> > diff --git a/meta/classes/report-error.bbclass
> > b/meta/classes/report-error.bbclass
> > index 1a12db1..6046867 100644
> > --- a/meta/classes/report-error.bbclass
> > +++ b/meta/classes/report-error.bbclass
> > @@ -36,6 +36,7 @@ def get_conf_data(e, filename):
> >                       continue
> >                   else:
> >                       jsonstring=jsonstring + line
> > +    jsonstring = jsonstring.replace("<", "&lt;").replace(">",
> > "&gt;")
> >       return jsonstring
> >   
> >   python errorreport_handler () {