From lists at zopyx.com Sat Aug 1 17:05:37 2009 From: lists at zopyx.com (Andreas Jung) Date: Sat, 01 Aug 2009 17:05:37 +0200 Subject: [Catalog-sig] package with the longest version string In-Reply-To: References: Message-ID: <4A7459C1.1070704@zopyx.com> On 31.07.09 03:23, Sridhar Ratnakumar wrote: > .. must be this: > > > http://pypi.python.org/pypi/softwarefabrica.django.crud/1.0dev-BZR-r79-panta-elasticworld.org-20090316230356-bp41wibodhmypvep PyPI, the package toilet :-> Andreas -------------- next part -------------- A non-text attachment was scrubbed... Name: lists.vcf Type: text/x-vcard Size: 316 bytes Desc: not available URL: From chris at simplistix.co.uk Wed Aug 19 13:54:02 2009 From: chris at simplistix.co.uk (Chris Withers) Date: Wed, 19 Aug 2009 12:54:02 +0100 Subject: [Catalog-sig] Problems uploading a .msi In-Reply-To: <1250681687.3962.6.camel@sverker-laptop> References: <4A8ABC2A.30805@simplistix.co.uk> <1250681687.3962.6.camel@sverker-laptop> Message-ID: <4A8BE7DA.4050300@simplistix.co.uk> Sverker Nilsson wrote: > Yes, I could see you attachaed a Windows installer. > But I could not upload it. PyPi complained: > > Error processing form > > invalid distribution file This was a .msi and I experienced the same thing. Is this a known problem? Chris -- Simplistix - Content Management, Batch Processing & Python Consulting - http://www.simplistix.co.uk From martin at v.loewis.de Wed Aug 19 21:39:26 2009 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Wed, 19 Aug 2009 21:39:26 +0200 Subject: [Catalog-sig] Problems uploading a .msi In-Reply-To: <4A8BE7DA.4050300@simplistix.co.uk> References: <4A8ABC2A.30805@simplistix.co.uk> <1250681687.3962.6.camel@sverker-laptop> <4A8BE7DA.4050300@simplistix.co.uk> Message-ID: <4A8C54EE.1020202@v.loewis.de> > This was a .msi and I experienced the same thing. > Is this a known problem? PyPI didn't support MSI files, but it does now. Please try again. Regards, Martin From martin at v.loewis.de Fri Aug 21 16:33:14 2009 From: martin at v.loewis.de (=?ISO-8859-1?Q?=22Martin_v=2E_L=F6wis=22?=) Date: Fri, 21 Aug 2009 16:33:14 +0200 Subject: [Catalog-sig] HTML in long description Message-ID: <4A8EB02A.9070001@v.loewis.de> Should PyPI support HTML in the long_description field? The current implementation tries to pass the long_description to docutils, with the settings raw_enabled=0, file_insertion_enabled=0, halt_level=2, report_level=5. If parsing fails, it will wrap the long_description with a
 element.

As a side effect of that, HTML in long_description seems to work,
but it isn't really supported.

Which way should PyPI go: escape all markup if ReST rendering fails?
Or else allow arbitrary HTML to be embedded? I'm worried that somebody
would create a cross-site attack out of that...

Regards,
Martin

From fdrake at gmail.com  Fri Aug 21 16:35:25 2009
From: fdrake at gmail.com (Fred Drake)
Date: Fri, 21 Aug 2009 10:35:25 -0400
Subject: [Catalog-sig] HTML in long description
In-Reply-To: <4A8EB02A.9070001@v.loewis.de>
References: <4A8EB02A.9070001@v.loewis.de>
Message-ID: <9cee7ab80908210735l67039347w2ccd13a5e822275b@mail.gmail.com>

On Fri, Aug 21, 2009 at 10:33 AM, "Martin v. L?wis" wrote:
> Which way should PyPI go: escape all markup if ReST rendering fails?
> Or else allow arbitrary HTML to be embedded? I'm worried that somebody
> would create a cross-site attack out of that...

Same here; the text in the 
 should be properly escaped.


  -Fred

-- 
Fred L. Drake, Jr.    
"Chaos is the score upon which reality is written." --Henry Miller

From ziade.tarek at gmail.com  Fri Aug 21 16:51:37 2009
From: ziade.tarek at gmail.com (=?ISO-8859-1?Q?Tarek_Ziad=E9?=)
Date: Fri, 21 Aug 2009 16:51:37 +0200
Subject: [Catalog-sig] HTML in long description
In-Reply-To: <9cee7ab80908210735l67039347w2ccd13a5e822275b@mail.gmail.com>
References: <4A8EB02A.9070001@v.loewis.de>
	<9cee7ab80908210735l67039347w2ccd13a5e822275b@mail.gmail.com>
Message-ID: <94bdd2610908210751w6e35f03ct4bac396b4c008037@mail.gmail.com>

On Fri, Aug 21, 2009 at 4:35 PM, Fred Drake wrote:
> On Fri, Aug 21, 2009 at 10:33 AM, "Martin v. L?wis" wrote:
>> Which way should PyPI go: escape all markup if ReST rendering fails?
>> Or else allow arbitrary HTML to be embedded? I'm worried that somebody
>> would create a cross-site attack out of that...
>
> Same here; the text in the 
 should be properly escaped.

FWIW lxml.html is pretty convenient to remove any dangerous tag, it's
a one-liner
that will get rid of any