remove overzealous escaping of reason in rebuild()

I'd like a second look at this, since these escapes were added while resolving the XSS vulnerabilities back in 0.7.*. I think they are unnecessary, particularly with the use of Jinja. I suspect they were added out of an abundance of caution, lest the reason later be used unescaped in a status display.
djmitche · Mar 12, 2010 · 21296a7 · 21296a7 · marcus-sonestedt · Mar 12, 2010
1 parent 0fc61b8
commit 21296a7
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/buildbot/status/web/build.py b/buildbot/status/web/build.py
@@ -170,7 +170,7 @@ def rebuild(self, req):
         name = req.args.get("username", ["<unknown>"])[0]
         comments = req.args.get("comments", ["<no reason specified>"])[0]
         reason = ("The web-page 'rebuild' button was pressed by "
-                  "'%s': %s\n" % (html.escape(name), html.escape(comments)))
+                  "'%s': %s\n" % (name, comments))
         extraProperties = getAndCheckProperties(req)
         if not bc or not b.isFinished() or extraProperties is None:
             log.msg("could not rebuild: bc=%s, isFinished=%s"