Files
@ c9cfaeb1cdfe
Branch filter:
Location: kallithea/docs/usage/debugging.rst - annotation
c9cfaeb1cdfe
1.2 KiB
text/prs.fallenstein.rst
tooltips: fix unsafe insertion of userdata into the DOM as html
This fixes js injection in the admin journal ... and probably also in other places.
Tooltips are used both with hardcoded strings (which is safe and simple) and
with user provided strings wrapped in html formatting (which requires careful
escaping before being put into the DOM as html). The templating will
automatically take care of one level of escaping, but here it requires two
levels to do it correctly ... and that was not always done correctly.
Instead, by default, just insert it into the DOM as text, not as html.
The few places where we know the tooltip contains safe html are handled
specially - the element is given the safe-html-title class. That is the case in
file annotation and in display of tip revision in repo lists.
This fixes js injection in the admin journal ... and probably also in other places.
Tooltips are used both with hardcoded strings (which is safe and simple) and
with user provided strings wrapped in html formatting (which requires careful
escaping before being put into the DOM as html). The templating will
automatically take care of one level of escaping, but here it requires two
levels to do it correctly ... and that was not always done correctly.
Instead, by default, just insert it into the DOM as text, not as html.
The few places where we know the tooltip contains safe html are handled
specially - the element is given the safe-html-title class. That is the case in
file annotation and in display of tip revision in repo lists.
4d076981a7b1 4d076981a7b1 4d076981a7b1 e73a69cb98dc 4d076981a7b1 4d076981a7b1 4e6dfdb3fa01 4e6dfdb3fa01 4d076981a7b1 4e6dfdb3fa01 4d076981a7b1 03bbd33bc084 4d076981a7b1 4d076981a7b1 4e6dfdb3fa01 4e6dfdb3fa01 4e6dfdb3fa01 4e6dfdb3fa01 097327aaf2ad 4d076981a7b1 4d076981a7b1 03bbd33bc084 4d076981a7b1 4d076981a7b1 4e6dfdb3fa01 4e6dfdb3fa01 4e6dfdb3fa01 4e6dfdb3fa01 4e6dfdb3fa01 4e6dfdb3fa01 4e6dfdb3fa01 4e6dfdb3fa01 | .. _debugging:
===================
Debugging Kallithea
===================
If you encounter problems with Kallithea, here are some instructions
on how to debug them.
.. note:: First make sure you're using the latest version available.
Enable detailed debug
---------------------
Kallithea uses the standard Python ``logging`` module to log its output.
By default only loggers with ``INFO`` level are displayed. To enable full output
change ``level = DEBUG`` for all logging handlers in the currently used .ini file.
This change will allow you to see much more detailed output in the log file or
console. This generally helps a lot to track issues.
Enable interactive debug mode
-----------------------------
To enable interactive debug mode simply comment out ``set debug = false`` in
the .ini file. This will trigger an interactive debugger each time
there is an error in the browser, or send a http link if an error occured in the backend. This
is a great tool for fast debugging as you get a handy Python console right
in the web view.
.. warning:: NEVER ENABLE THIS ON PRODUCTION! The interactive console
can be a serious security threat to your system.
|