From: Changqing Li <changqing.li@windriver.com>
Date: Mon, 15 Mar 2021 01:03:25 +0000 (-0700)
Subject: report-error.bbclass: replace angle brackets with &lt; and &gt;
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=185d32ab7f60128f9b161b7442a41564ae7e9b32;p=thirdparty%2Fopenembedded%2Fopenembedded-core-contrib.git

report-error.bbclass: replace angle brackets with &lt; and &gt;

when we have below content in local.conf or auto.conf:
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem@gmail.com>"
send-error-report will fail with "HTTP Error 500: OK"

error-report-web do rudimentary check on all fields that are
passed to the graphs page to avoid any XSS happening, if contains
'<', the server will return error(Invalid characters in json).
fixed by use escape of <> to replace it.

NOTE: with this change, error-report-web need to add filter 'safe'
for the string wanted to display to avoid further HTML escaping
prior to output. Below is how the content displayed on webpage:
with the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem@gmail.com>"
without the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj &lt;raj.khem@gmail.com&gt;"

Another patch for error-report-web will send to yocto mail list.

[YOCTO #13252]

Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---

diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-error.bbclass
index 891b3c4467..05459a0ac4 100644
--- a/meta/classes/report-error.bbclass
+++ b/meta/classes/report-error.bbclass
@@ -43,6 +43,7 @@ def get_conf_data(e, filename):
                     continue
                 else:
                     jsonstring=jsonstring + line
+    jsonstring = jsonstring.replace("<", "&lt;").replace(">", "&gt;")
     return jsonstring
 
 def get_common_data(e):