Re: [error-report-web][PATCH V2] Add local.conf and auto.conf into error details

Khem Raj

has this resolved on server side ? since I see that
patch to report-error.bbclass is still not applied in

On Mon, Dec 16, 2019 at 7:48 PM Changqing Li <> wrote:

correct the mail list to

On 12/11/19 1:45 PM, Changqing Li wrote:

On 11/13/19 6:36 PM, Paul Eggleton wrote:
Hi Changqing,

Some comments below.

On Tuesday, 12 November 2019 9:32:53 PM NZDT wrote:
From: Changqing Li <>

Support to display local.conf and auto.conf on error report web.
Here is commit in oe-core, which add local.conf/auto.conf into error

This commit is related to YOCTO #13252

Signed-off-by: Changqing Li <>
Post/ | 24 ++++++++++++++++++++++++
Post/ | 2 ++
Post/ | 2 ++
Post/ | 2 ++
templates/error-details.html | 10 ++++++++++
test-data/test-payload.json | 4 +++-
6 files changed, 43 insertions(+), 1 deletion(-)
create mode 100644 Post/

diff --git a/Post/
new file mode 100644
index 0000000..827944e
--- /dev/null
+++ b/Post/
Could you please give the migration a proper name (-n option to
makemigrations) e.g. local_conf_auto_conf
OK, thanks

--- a/Post/
+++ b/Post/
@@ -43,6 +43,8 @@ class Build(models.Model):
LINK_BACK = models.TextField(max_length=300, blank=True,
ERROR_TYPE = models.CharField(max_length=20,
models.TextField(max_length=int(settings.MAX_UPLOAD_SIZE), default="")
models.TextField(max_length=int(settings.MAX_UPLOAD_SIZE), default="")
I'm not sure this is practical, for two reasons:

1) Field sizes should not be variable like this; changing the
MAX_UPLOAD_SIZE value after the fact would not change the database
2) The value could never actually reach MAX_UPLOAD_SIZE because the
overhead of the surrounding JSON would block it from being uploaded
if it did

However, since this is a TextField we don't actually have to specify
a max_length (for a TextField max_length only actually affects the
frontend, and we don't expose this field in a form) so it can just be

Another thing, instead of default="" you should use blank=True.
OK, I will fix this.

+ {% if detail.BUILD.LOCAL_CONF != "" %}
+ <dt></a>Local Conf:</dt>
+ <dd style="white-space: pre-wrap;">{{
detail.BUILD.LOCAL_CONF | safe }}</dd>
+ {% endif %}
+ {% if detail.BUILD.AUTO_CONF != "" %}
+ <dt></a>Auto Conf:</dt>
+ <dd style="white-space: pre-wrap;">{{
detail.BUILD.AUTO_CONF | safe }}</dd>
+ {% endif %}
We cannot use the safe filter here - doing so could open up an XSS
vulnerability, since anyone can upload anything to the error-report
application and the content could include links or other malicious
HTML data. We should allow it to be auto-escaped. Is there a
particular issue you were using this to solve?
This is for resolve a problem when there is angle brackets in

I have a patch in oe-core [OE-core] [PATCH] report-error.bbclass:
replace angle brackets with &lt; and &gt;]

when we have below content in local.conf or auto.conf:
send-error-report will fail with "HTTP Error 500: OK"

error-report-web do rudimentary check on all fields that are
passed to the graphs page to avoid any XSS happening, if contains
'<', the server will return error(Invalid characters in json).
fixed by use escape of <> to replace it.

NOTE: with this change, error-report-web need to add filter 'safe'
for the string wanted to display to avoid further HTML escaping
prior to output. Below is how the content displayed on webpage:
with the filter 'safe':
without the filter 'safe':

Do you have good idea to resolve this? Thanks.

Links: You receive all messages sent to this group.

View/Reply Online (#47707):
Mute This Topic:
Group Owner:
Unsubscribe: []

Join to automatically receive all group messages.