[zope2-tracker] [Bug 1515122] [NEW] ZOPE2.13.23: escaped HTML tags in NotFound Error Page

Mathias Ziehmayer mathias.ziehmayer at gmx.at
Wed Nov 11 08:10:55 CET 2015 

Public bug reported:

Hi,

On a vanilla ZOPE 2.13.23 install the NotFound (404) Error Page contains
escaped HTML tags and is not properly displayed by the browser. Also,
the traceback includes a copy of the the HTML error message (again with
escaped tags).

The patch below fixes the *symptoms* for NotFound. It is however likely
that other Exceptions (e.g. all that have their error messages generated
by by ZPublisher.HTTPResponse._error_html()) have the same problem.

Thank you && best regards,
Mathias


excp_hook_fmt.patch

--- eggs/Zope2-2.13.23-py2.7.egg/OFS/SimpleItem.py.ori  2015-11-10 10:22:53.163437323 +0100
+++ eggs/Zope2-2.13.23-py2.7.egg/OFS/SimpleItem.py  2015-11-10 10:52:33.852662569 +0100
@@ -46,6 +46,7 @@
 from Persistence import Persistent
 from webdav.Resource import Resource
 from webdav.xmltools import escape as xml_escape
+from zExceptions import NotFound
 from zExceptions import Redirect
 from zExceptions.ExceptionFormatter import format_exception
 from zope.interface import implements
@@ -62,6 +63,9 @@
 import logging
 logger = logging.getLogger()
 
+# special case formatting for well known pre-formatted (HTML) exceptions
+PREFORMATTED_EXCEPTIONS = [NotFound]
+
 class Item(Base,
            Resource,
            CopySource,
@@ -235,6 +239,9 @@
                           'error_traceback': error_tb,
                           'error_message': xml_escape(str(error_message)),
                           'error_log_url': error_log_url}
+                # error message: do not escape if already formatted as HTML
+                if error_type in PREFORMATTED_EXCEPTIONS:
+                    kwargs['error_message'] = str(error_message)
 
                 if getattr(aq_base(s), 'isDocTemp', 0): 
                     v = s(client, REQUEST, **kwargs)
@@ -427,6 +434,9 @@
 
 
 def pretty_tb(t, v, tb, as_html=1):
+    # do dot include message itself in traceback of pre-formatted exceptions
+    if t in PREFORMATTED_EXCEPTIONS:
+        v = ''
     tb = format_exception(t, v, tb, as_html=as_html)
     tb = '\n'.join(tb)
     return tb

** Affects: zope2
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Zope 2
Developers, which is subscribed to Zope 2.
https://bugs.launchpad.net/bugs/1515122

Title:
  ZOPE2.13.23: escaped HTML tags in NotFound Error Page

To manage notifications about this bug go to:
https://bugs.launchpad.net/zope2/+bug/1515122/+subscriptions

More information about the zope2-tracker mailing list