Обсуждение: [pgsql-www] escapes in submitted docs comments
The docs comments coming in through pgsql-docs look like this: select instr('010000101001001','1',-1) from dual Can the escaping be fixed? -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
> On 02 Feb 2017, at 22:47, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote: > > The docs comments coming in through pgsql-docs look like this: > > select instr('010000101001001','1',-1) from dual > > Can the escaping be fixed? AFAIU with Django, to avoid the escaping the form content would have to be marked safe which seems.. unsafe. Given the nature of SQL and the comments we get, perhaps the simple approach is to just replace the unicode quote since it will be quite common? Something along the lines of the (untested) diff below? --- a/pgweb/docs/views.py +++ b/pgweb/docs/views.py @@ -130,7 +130,7 @@ def commentform(request, itemid, version, filename): 'docs/docsbugmail.txt',{ 'version': version, 'filename': filename, - 'details': form.cleaned_data['details'], + 'details': form.cleaned_data['details'].replace(''', "'"), }, usergenerated=True, ) cheers ./daniel
Daniel Gustafsson wrote: > > On 02 Feb 2017, at 22:47, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote: > > > > The docs comments coming in through pgsql-docs look like this: > > > > select instr('010000101001001','1',-1) from dual > > > > Can the escaping be fixed? > > AFAIU with Django, to avoid the escaping the form content would have to be > marked safe which seems.. unsafe. Given the nature of SQL and the comments we > get, perhaps the simple approach is to just replace the unicode quote since it > will be quite common? Something along the lines of the (untested) diff below? There are plenty of other characters being escaped, though. Can't we just do something like "parse this html piece as text" instead? ("unescape" I suppose). We're only sending it in a text/plain email, so there's no worry of misinterpreted HTML. -- Álvaro Herrera https://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services
> On 15 Feb 2017, at 12:52, Alvaro Herrera <alvherre@2ndquadrant.com> wrote: > > Daniel Gustafsson wrote: >>> On 02 Feb 2017, at 22:47, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote: >>> >>> The docs comments coming in through pgsql-docs look like this: >>> >>> select instr('010000101001001','1',-1) from dual >>> >>> Can the escaping be fixed? >> >> AFAIU with Django, to avoid the escaping the form content would have to be >> marked safe which seems.. unsafe. Given the nature of SQL and the comments we >> get, perhaps the simple approach is to just replace the unicode quote since it >> will be quite common? Something along the lines of the (untested) diff below? > > There are plenty of other characters being escaped, though. Can't we > just do something like "parse this html piece as text" instead? > ("unescape" I suppose). We're only sending it in a text/plain email, so > there's no worry of misinterpreted HTML. Perhaps not, I guess I’m just scared about potentially “helpful” MUA’s who see HTML and renders even if it’s in text/plain. That being said, I don’t think I’ve seen one in quite some time. cheers ./daniel
On Wed, Feb 15, 2017 at 1:13 PM, Daniel Gustafsson <daniel@yesql.se> wrote:
> On 15 Feb 2017, at 12:52, Alvaro Herrera <alvherre@2ndquadrant.com> wrote:
>
> Daniel Gustafsson wrote:
>>> On 02 Feb 2017, at 22:47, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote:
>>>
>>> The docs comments coming in through pgsql-docs look like this:
>>>
>>> select instr('010000101001001','1',-1) from dual
>>>
>>> Can the escaping be fixed?
>>
>> AFAIU with Django, to avoid the escaping the form content would have to be
>> marked safe which seems.. unsafe. Given the nature of SQL and the comments we
>> get, perhaps the simple approach is to just replace the unicode quote since it
>> will be quite common? Something along the lines of the (untested) diff below?
>
> There are plenty of other characters being escaped, though. Can't we
> just do something like "parse this html piece as text" instead?
> ("unescape" I suppose). We're only sending it in a text/plain email, so
> there's no worry of misinterpreted HTML.
Perhaps not, I guess I’m just scared about potentially “helpful” MUA’s who see
HTML and renders even if it’s in text/plain. That being said, I don’t think
I’ve seen one in quite some time.
If a helpful MUA does that in text that's clearly set to text/plain, there is really no helping the poor soul who uses it.
And the mails we generate don't even have a text/html part, so I think we should be perfectly safe.
> On 15 Feb 2017, at 14:09, Magnus Hagander <magnus@hagander.net> wrote: > > On Wed, Feb 15, 2017 at 1:13 PM, Daniel Gustafsson <daniel@yesql.se <mailto:daniel@yesql.se>> wrote: > > On 15 Feb 2017, at 12:52, Alvaro Herrera <alvherre@2ndquadrant.com <mailto:alvherre@2ndquadrant.com>> wrote: > > > > Daniel Gustafsson wrote: > >>> On 02 Feb 2017, at 22:47, Peter Eisentraut <peter.eisentraut@2ndquadrant.com <mailto:peter.eisentraut@2ndquadrant.com>>wrote: > >>> > >>> The docs comments coming in through pgsql-docs look like this: > >>> > >>> select instr('010000101001001','1',-1) from dual > >>> > >>> Can the escaping be fixed? > >> > >> AFAIU with Django, to avoid the escaping the form content would have to be > >> marked safe which seems.. unsafe. Given the nature of SQL and the comments we > >> get, perhaps the simple approach is to just replace the unicode quote since it > >> will be quite common? Something along the lines of the (untested) diff below? > > > > There are plenty of other characters being escaped, though. Can't we > > just do something like "parse this html piece as text" instead? > > ("unescape" I suppose). We're only sending it in a text/plain email, so > > there's no worry of misinterpreted HTML. > > Perhaps not, I guess I’m just scared about potentially “helpful” MUA’s who see > HTML and renders even if it’s in text/plain. That being said, I don’t think > I’ve seen one in quite some time. > > If a helpful MUA does that in text that's clearly set to text/plain, there is really no helping the poor soul who usesit. > > And the mails we generate don't even have a text/html part, so I think we should be perfectly safe. Perhaps we can just run the textarea output via the unescape function from django.utils.html before rendering the mail template? cheers ./daniel
On Wed, Feb 15, 2017 at 4:31 PM, Daniel Gustafsson <daniel@yesql.se> wrote:
> On 15 Feb 2017, at 14:09, Magnus Hagander <magnus@hagander.net> wrote:
>
> On Wed, Feb 15, 2017 at 1:13 PM, Daniel Gustafsson <daniel@yesql.se <mailto:daniel@yesql.se>> wrote:
> > On 15 Feb 2017, at 12:52, Alvaro Herrera <alvherre@2ndquadrant.com <mailto:alvherre@2ndquadrant.com>> wrote:
> >
> > Daniel Gustafsson wrote:
> >>> On 02 Feb 2017, at 22:47, Peter Eisentraut <peter.eisentraut@2ndquadrant.com <mailto:peter.eisentraut@ 2ndquadrant.com>> wrote:
> >>>
> >>> The docs comments coming in through pgsql-docs look like this:
> >>>
> >>> select instr('010000101001001','1',-1) from dual
> >>>
> >>> Can the escaping be fixed?
> >>
> >> AFAIU with Django, to avoid the escaping the form content would have to be
> >> marked safe which seems.. unsafe. Given the nature of SQL and the comments we
> >> get, perhaps the simple approach is to just replace the unicode quote since it
> >> will be quite common? Something along the lines of the (untested) diff below?
> >
> > There are plenty of other characters being escaped, though. Can't we
> > just do something like "parse this html piece as text" instead?
> > ("unescape" I suppose). We're only sending it in a text/plain email, so
> > there's no worry of misinterpreted HTML.
>
> Perhaps not, I guess I’m just scared about potentially “helpful” MUA’s who see
> HTML and renders even if it’s in text/plain. That being said, I don’t think
> I’ve seen one in quite some time.
>
> If a helpful MUA does that in text that's clearly set to text/plain, there is really no helping the poor soul who uses it.
>
> And the mails we generate don't even have a text/html part, so I think we should be perfectly safe.
Perhaps we can just run the textarea output via the unescape function from
django.utils.html before rendering the mail template?
I think what you normally want to do is put |safe in the template -- so instead of {{whatever}} make it {{whatever|safe}}. That tells the template to stop auto-escaping.
On 2/2/17 22:47, Peter Eisentraut wrote: > The docs comments coming in through pgsql-docs look like this: > > select instr('010000101001001','1',-1) from dual > > Can the escaping be fixed? This is still happening. Anything that could be done about it? -- Peter Eisentraut http://www.2ndQuadrant.com/ PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services