- [bug] The exception message in the html_error_template

  is now escaped with the HTML filter. [ticket:142]

CHANGES

@@ -1,13 +1,6 @@
 0.6.0
-- [feature/bug] Can now refer to context variables
-  within extra arguments to <%block>, <%def>, i.e.
-  <%block name="foo" cache_key="${somekey}">.
-  Filters can also be used in this way, i.e.
-  <%def name="foo()" filter="myfilter">
-  then template.render(myfilter=some_callable)
-  [ticket:180]
 
-- Template caching has been converted into a plugin
+- [feature] Template caching has been converted into a plugin
   system, whereby the usage of Beaker is just the
   default plugin.   Template and TemplateLookup
   now accept a string "cache_impl" parameter which
@@ -19,23 +12,34 @@
   core plugin is the mako.cache.CacheImpl
   class.
 
-- The <%def>, <%block> and <%page> tags now accept
+- [feature] The <%def>, <%block> and <%page> tags now accept
   any argument named "cache_*", and the key
   minus the "cache_" prefix will be passed as keyword
   arguments to the CacheImpl methods.
 
-- Template and TemplateLookup now accept an argument 
+- [feature] Template and TemplateLookup now accept an argument 
   cache_args, which refers to a dictionary containing
   cache parameters.  The cache_dir, cache_url, cache_type, 
   cache_timeout arguments are deprecated (will probably 
   never be removed, however) and can be passed
   now as cache_args={'url':<some url>, 'type':'memcached',
   'timeout':50, 'dir':'/path/to/some/directory'}
 
-- Added "--var name=value" option to the mako-render 
+- [feature/bug] Can now refer to context variables
+  within extra arguments to <%block>, <%def>, i.e.
+  <%block name="foo" cache_key="${somekey}">.
+  Filters can also be used in this way, i.e.
+  <%def name="foo()" filter="myfilter">
+  then template.render(myfilter=some_callable)
+  [ticket:180]
+
+- [feature] Added "--var name=value" option to the mako-render 
   script, allows passing of kw to the template from 
   the command line. [ticket:178]
 
+- [bug] The exception message in the html_error_template
+  is now escaped with the HTML filter. [ticket:142]
+
 0.5
 - A Template is explicitly disallowed
   from having a url that normalizes to relative outside

mako/exceptions.py

@@ -277,7 +277,7 @@ def html_error_template():
     else:
         lines = None
 %>
-<h3>${tback.errorname}: ${tback.message}</h3>
+<h3>${tback.errorname}: ${tback.message|h}</h3>
 
 % if lines:
     <div class="sample">

test/test_exceptions.py

@@ -20,8 +20,8 @@ def test_html_error_template(self):
             assert False
         except exceptions.CompileException, ce:
             html_error = exceptions.html_error_template().render_unicode()
-            assert ("CompileException: Fragment 'i = 0' is not a partial "
-                    "control statement") in html_error
+            assert ("CompileException: Fragment 'i = 0' is not "
+                    "a partial control statement at line: 2 char: 1") in html_error
             assert '<style>' in html_error
             html_error_stripped = html_error.strip()
             assert html_error_stripped.startswith('<html>')
@@ -75,10 +75,10 @@ def test_utf8_html_error_template(self):
             template.render_unicode()
         except exceptions.CompileException, ce:
             html_error = exceptions.html_error_template().render()
-            assert ("CompileException: Fragment 'if 2 == 2: /an "
-                    "error' is not a partial control "
-                    "statement at line: 2 char: 1") in \
-                    html_error.decode('utf-8')
+            assert ("CompileException: Fragment &#39;if 2 == 2: /an "
+                    "error&#39; is not a partial control statement "
+                    "at line: 2 char: 1") in \
+                    html_error
 
             if util.py3k:
                 assert u"3 ${&#39;привет&#39;}".encode(sys.getdefaultencoding(),
@@ -185,5 +185,4 @@ def test_tback_no_trace(self):
         # and don't even send what we have.
         html_error = exceptions.html_error_template().\
                     render_unicode(error=v, traceback=None)
-
-        assert "local variable 'y' referenced" in html_error
+        assert "local variable &#39;y&#39; referenced before assignment" in html_error

test/test_template.py

@@ -12,6 +12,23 @@
     skip_if, assert_raises, assert_raises_message
 
 class EncodingTest(TemplateTest):
+    def test_escapes_html_tags(self):
+        from mako.exceptions import html_error_template
+
+        x = Template("""
+        X:
+        <% raise Exception('<span style="color:red">Foobar</span>') %>
+        """)
+
+        try:
+            x.render()
+        except:
+            # <h3>Exception: <span style="color:red">Foobar</span></h3>
+            markup = html_error_template().render(full=False, css=False)
+            print markup
+            assert '<span style="color:red">Foobar</span></h3>' not in markup
+            assert '&lt;span style=&#34;color:red&#34;&gt;Foobar&lt;/span&gt;' in markup
+
     def test_unicode(self):
         self._do_memory_test(
             u"""Alors vous imaginez ma surprise, au lever du jour, quand une drôle de petite voix m’a réveillé. Elle disait: « S’il vous plaît… dessine-moi un mouton! »""",