aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorChangqing Li <changqing.li@windriver.com>2021-03-14 18:03:25 -0700
committerMartin Jansa <Martin.Jansa@gmail.com>2021-06-19 23:06:52 +0200
commitf5b31684d0d6d95f0087da01ae1ad95bf98f31cf (patch)
treef867418db9196148a6dd3f3ffb714f0b7f4d9dc5
parentffdf84f87f5499420c15936d2b0103a242862720 (diff)
downloadopenembedded-core-contrib-f5b31684d0d6d95f0087da01ae1ad95bf98f31cf.tar.gz
openembedded-core-contrib-f5b31684d0d6d95f0087da01ae1ad95bf98f31cf.tar.bz2
openembedded-core-contrib-f5b31684d0d6d95f0087da01ae1ad95bf98f31cf.zip
report-error.bbclass: replace angle brackets with &lt; and &gt;
when we have below content in local.conf or auto.conf: BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem@gmail.com>" send-error-report will fail with "HTTP Error 500: OK" error-report-web do rudimentary check on all fields that are passed to the graphs page to avoid any XSS happening, if contains '<', the server will return error(Invalid characters in json). fixed by use escape of <> to replace it. NOTE: with this change, error-report-web need to add filter 'safe' for the string wanted to display to avoid further HTML escaping prior to output. Below is how the content displayed on webpage: with the filter 'safe': BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem@gmail.com>" without the filter 'safe': BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj &lt;raj.khem@gmail.com&gt;" Another patch for error-report-web will send to yocto mail list. [YOCTO #13252] Signed-off-by: Changqing Li <changqing.li@windriver.com> Signed-off-by: Khem Raj <raj.khem@gmail.com>
-rw-r--r--meta/classes/report-error.bbclass1
1 files changed, 1 insertions, 0 deletions
diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-error.bbclass
index 0ddbab9071..d07aa77c54 100644
--- a/meta/classes/report-error.bbclass
+++ b/meta/classes/report-error.bbclass
@@ -44,6 +44,7 @@ def get_conf_data(e, filename):
continue
else:
jsonstring=jsonstring + line
+ jsonstring = jsonstring.replace("<", "&lt;").replace(">", "&gt;")
return jsonstring
def errorreport_get_user_info(e):