Files @ c7728c5736fd
Branch filter:

Location: kallithea/docs/usage/debugging.rst

c7728c5736fd 1.2 KiB text/prs.fallenstein.rst Show Annotation Show as Raw Download as Raw
Thomas De Schampheleire
templates: narrow down scope of webhelpers.html.literal for HTML injection

When using webhelpers.html.literal to inject some explicit HTML code with
some variable data, there are two approaches:
h.literal('some <html> code with %s data' % foobar)
or
h.literal('some <html> code with %s data') % foobar

In the first case, the literal also applies to the contents of variable
'foobar' which may be influenceable by users and thus potentially malicious.
In the second case, this term will be escaped by webhelpers.

See also the documentation:
https://docs.pylonsproject.org/projects/webhelpers/en/latest/modules/html/builder.html#webhelpers.html.builder.literal
"Also, if you add another string to this string, the other string will
be quoted and you will get back another literal object. Also
literal(...) % obj will quote any value(s) from obj."

In files_browser.html, the correction of this scope of literal() also means
that explicit escaping of node.name can be removed. The escaping is now done
automatically by webhelpers as mentioned above.
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
.. _debugging:

===================
Debugging Kallithea
===================

If you encounter problems with Kallithea, here are some instructions
on how to debug them.

.. note:: First make sure you're using the latest version available.


Enable detailed debug
---------------------

Kallithea uses the standard Python ``logging`` module to log its output.
By default only loggers with ``INFO`` level are displayed. To enable full output
change ``level = DEBUG`` for all logging handlers in the currently used .ini file.
This change will allow you to see much more detailed output in the log file or
console. This generally helps a lot to track issues.


Enable interactive debug mode
-----------------------------

To enable interactive debug mode simply comment out ``set debug = false`` in
the .ini file. This will trigger an interactive debugger each time
there is an error in the browser, or send a http link if an error occurred in the backend. This
is a great tool for fast debugging as you get a handy Python console right
in the web view.

.. warning:: NEVER ENABLE THIS ON PRODUCTION! The interactive console
             can be a serious security threat to your system.
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.