From: Changqing Li <changqing...@windriver.com>
when we have below content in local.conf or auto.conf:
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.k...@gmail.com>"
send-error-report will fail with "HTTP Error 500: OK"
error-report-web do rudimentary check on all fields that are
passed to the graphs page to avoid any XSS happening, if contains
'<', the server will return error(Invalid characters in json).
fixed by use escape of <> to replace it.
NOTE: with this change, error-report-web need to add filter 'safe'
for the string wanted to display to avoid further HTML escaping
prior to output. Below is how the content displayed on webpage:
with the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.k...@gmail.com>"
without the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.k...@gmail.com>"
Another patch for error-report-web will send to yocto mail list.
[YOCTO #13252]
Signed-off-by: Changqing Li <changqing...@windriver.com>
Signed-off-by: Khem Raj <raj.k...@gmail.com>
---
meta/classes/report-error.bbclass | 1 +
1 file changed, 1 insertion(+)
diff --git a/meta/classes/report-error.bbclass
b/meta/classes/report-error.bbclass
index 9cb6b0bd31..8dac854944 100644
--- a/meta/classes/report-error.bbclass
+++ b/meta/classes/report-error.bbclass
@@ -38,6 +38,7 @@ def get_conf_data(e, filename):
continue
else:
jsonstring=jsonstring + line
+ jsonstring = jsonstring.replace("<", "<").replace(">", ">")
return jsonstring
python errorreport_handler () {
--
2.30.2
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#149444):
https://lists.openembedded.org/g/openembedded-core/message/149444
Mute This Topic: https://lists.openembedded.org/mt/81339399/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-
