From Aleksi.Niemela at cs.helsinki.fi  Tue Jun 28 20:37:46 2005
From: Aleksi.Niemela at cs.helsinki.fi (Aleksi Niemela)
Date: Tue Jun 28 20:35:04 2005
Subject: [Wee-talk] Patch: correctly formatted error responses
Message-ID: <42C1ED5A.3050605@cs.helsinki.fi>

Just a small fix to wee-0.8.0 response.rb to deal with inspect generated 
'<' marks (among others).

$ diff -u lib/wee/response.rb~ lib/wee/response.rb
--- lib/wee/response.rb~        2005-04-09 11:57:03.290039000 +0300
+++ lib/wee/response.rb 2005-06-29 03:25:03.753625000 +0300
@@ -77,8 +77,8 @@

   def render(c)
     c << "<html><head><title>Error occured</title></head><body>"
-    c << "<p>#{ @exception }"
-    c << @exception.backtrace.join("<br/>")
+    c << "<p>#{ CGI.escapeHTML(@exception.inspect) }<br/>"
+    c << @exception.backtrace.map{|s| CGI.escapeHTML(s)}.join("<br/>")
     c << "</p>"
     c << "</body></html>"
   end

I would have used HTMLWriter or some kind of wrapper but I was unsure if 
there's html rendering context available at the time the error response 
is generated so I ended up just wrapping up error messages in escaping.

Error generating code has now dependency to Cgi library, but I didn't 
add that. In my program either application.rb, session.rb or writer.rb 
loads it up already, but I'm unsure if there could be situation that 
none of those loads it.

One more note. If only escaping and cookie generation are used from lib 
Cgi, perhaps the dependency could be made away entirely although it's a 
standard library.

    - Aleksi

From mneumann at ntecs.de  Thu Jun 30 06:39:55 2005
From: mneumann at ntecs.de (Michael Neumann)
Date: Thu Jun 30 06:35:07 2005
Subject: [Wee-talk] Patch: correctly formatted error responses
In-Reply-To: <42C1ED5A.3050605@cs.helsinki.fi>
References: <42C1ED5A.3050605@cs.helsinki.fi>
Message-ID: <42C3CBFB.2050507@ntecs.de>

Aleksi Niemela wrote:
> Just a small fix to wee-0.8.0 response.rb to deal with inspect generated 
> '<' marks (among others).
> 
> $ diff -u lib/wee/response.rb~ lib/wee/response.rb
> --- lib/wee/response.rb~        2005-04-09 11:57:03.290039000 +0300
> +++ lib/wee/response.rb 2005-06-29 03:25:03.753625000 +0300
> @@ -77,8 +77,8 @@
> 
>   def render(c)
>     c << "<html><head><title>Error occured</title></head><body>"
> -    c << "<p>#{ @exception }"
> -    c << @exception.backtrace.join("<br/>")
> +    c << "<p>#{ CGI.escapeHTML(@exception.inspect) }<br/>"
> +    c << @exception.backtrace.map{|s| CGI.escapeHTML(s)}.join("<br/>")
>     c << "</p>"
>     c << "</body></html>"
>   end


Thanks. This is now fixed in SVN.

Regards,

   Michael