Correctly escape output of ?_trace, refs #1360

2021-06-05 14:49:16 -07:00 · 2021-06-05 14:49:16 -07:00 · 8f311d6c1d
commit 8f311d6c1d
--- a/datasette/tracer.py
+++ b/datasette/tracer.py
@ -1,5 +1,6 @@
 import asyncio
 from contextlib import contextmanager
+from markupsafe import escape
 import time
 import json
 import traceback
@ -123,7 +124,7 @@ class AsgiTracer:
                except IndexError:
                    content_type = ""
                if "text/html" in content_type and b"</body>" in accumulated_body:
-                    extra = json.dumps(trace_info, indent=2)
+                    extra = escape(json.dumps(trace_info, indent=2))
                    extra_html = f"<pre>{extra}</pre></body>".encode("utf8")
                    accumulated_body = accumulated_body.replace(b"</body>", extra_html)
                elif "json" in content_type and accumulated_body.startswith(b"{"):
--- a/tests/test_html.py
+++ b/tests/test_html.py
@ -1699,3 +1699,9 @@ def test_unavailable_table_does_not_break_sort_relationships():
    ) as client:
        response = client.get("/?_sort=relationships")
        assert response.status == 200
+
+
+def test_trace_correctly_escaped(app_client):
+    response = app_client.get("/fixtures?sql=select+'<h1>Hello'&_trace=1")
+    assert "select '<h1>Hello" not in response.text
+    assert "select &#39;&lt;h1&gt;Hello" in response.text