Обсуждение: [pgsql-www] escapes in submitted docs comments

The docs comments coming in through pgsql-docs look like this:

select instr('010000101001001','1',-1) from dual

Can the escaping be fixed?

-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

> On 02 Feb 2017, at 22:47, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote:
>
> The docs comments coming in through pgsql-docs look like this:
>
> select instr('010000101001001','1',-1) from dual
>
> Can the escaping be fixed?

AFAIU with Django, to avoid the escaping the form content would have to be
marked safe which seems..  unsafe.  Given the nature of SQL and the comments we
get, perhaps the simple approach is to just replace the unicode quote since it
will be quite common?  Something along the lines of the (untested) diff below?

--- a/pgweb/docs/views.py
+++ b/pgweb/docs/views.py
@@ -130,7 +130,7 @@ def commentform(request, itemid, version, filename):
'docs/docsbugmail.txt',{                                       'version': version,
'filename': filename, 
-                                       'details': form.cleaned_data['details'],
+                                       'details': form.cleaned_data['details'].replace(''', "'"),
            },                               usergenerated=True,                       ) 
cheers ./daniel

Daniel Gustafsson wrote:
> > On 02 Feb 2017, at 22:47, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote:
> > 
> > The docs comments coming in through pgsql-docs look like this:
> > 
> > select instr('010000101001001','1',-1) from dual
> > 
> > Can the escaping be fixed?
> 
> AFAIU with Django, to avoid the escaping the form content would have to be
> marked safe which seems..  unsafe.  Given the nature of SQL and the comments we
> get, perhaps the simple approach is to just replace the unicode quote since it
> will be quite common?  Something along the lines of the (untested) diff below?

There are plenty of other characters being escaped, though.  Can't we
just do something like "parse this html piece as text" instead?
("unescape" I suppose).  We're only sending it in a text/plain email, so
there's no worry of misinterpreted HTML.

-- 
Álvaro Herrera                https://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services

> On 15 Feb 2017, at 12:52, Alvaro Herrera <alvherre@2ndquadrant.com> wrote:
>
> Daniel Gustafsson wrote:
>>> On 02 Feb 2017, at 22:47, Peter Eisentraut <peter.eisentraut@2ndquadrant.com> wrote:
>>>
>>> The docs comments coming in through pgsql-docs look like this:
>>>
>>> select instr('010000101001001','1',-1) from dual
>>>
>>> Can the escaping be fixed?
>>
>> AFAIU with Django, to avoid the escaping the form content would have to be
>> marked safe which seems..  unsafe.  Given the nature of SQL and the comments we
>> get, perhaps the simple approach is to just replace the unicode quote since it
>> will be quite common?  Something along the lines of the (untested) diff below?
>
> There are plenty of other characters being escaped, though.  Can't we
> just do something like "parse this html piece as text" instead?
> ("unescape" I suppose).  We're only sending it in a text/plain email, so
> there's no worry of misinterpreted HTML.

Perhaps not, I guess I’m just scared about potentially “helpful” MUA’s who see
HTML and renders even if it’s in text/plain.  That being said, I don’t think
I’ve seen one in quite some time.

cheers ./daniel

> On 15 Feb 2017, at 14:09, Magnus Hagander <magnus@hagander.net> wrote:
>
> On Wed, Feb 15, 2017 at 1:13 PM, Daniel Gustafsson <daniel@yesql.se <mailto:daniel@yesql.se>> wrote:
> > On 15 Feb 2017, at 12:52, Alvaro Herrera <alvherre@2ndquadrant.com <mailto:alvherre@2ndquadrant.com>> wrote:
> >
> > Daniel Gustafsson wrote:
> >>> On 02 Feb 2017, at 22:47, Peter Eisentraut <peter.eisentraut@2ndquadrant.com
<mailto:peter.eisentraut@2ndquadrant.com>>wrote: 
> >>>
> >>> The docs comments coming in through pgsql-docs look like this:
> >>>
> >>> select instr('010000101001001','1',-1) from dual
> >>>
> >>> Can the escaping be fixed?
> >>
> >> AFAIU with Django, to avoid the escaping the form content would have to be
> >> marked safe which seems..  unsafe.  Given the nature of SQL and the comments we
> >> get, perhaps the simple approach is to just replace the unicode quote since it
> >> will be quite common?  Something along the lines of the (untested) diff below?
> >
> > There are plenty of other characters being escaped, though.  Can't we
> > just do something like "parse this html piece as text" instead?
> > ("unescape" I suppose).  We're only sending it in a text/plain email, so
> > there's no worry of misinterpreted HTML.
>
> Perhaps not, I guess I’m just scared about potentially “helpful” MUA’s who see
> HTML and renders even if it’s in text/plain.  That being said, I don’t think
> I’ve seen one in quite some time.
>
> If a helpful MUA does that in text that's clearly set to text/plain, there is really no helping the poor soul who
usesit. 
>
> And the mails we generate don't even have a text/html part, so I think we should be perfectly safe.

Perhaps we can just run the textarea output via the unescape function from
django.utils.html before rendering the mail template?

cheers ./daniel

On 2/2/17 22:47, Peter Eisentraut wrote:
> The docs comments coming in through pgsql-docs look like this:
> 
> select instr('010000101001001','1',-1) from dual
> 
> Can the escaping be fixed?

This is still happening.  Anything that could be done about it?


-- 
Peter Eisentraut              http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Remote DBA, Training & Services