search

niccokunzmann / open-web-calendar

Embed a highly customizable web calendar into your website using ICal source links
https://open-web-calendar.quelltext.eu
GNU General Public License v2.0
215 stars 70 forks source link

Error handling: do not include errors/tracebacks as part of the event calendar #74

Open cyroxx opened 4 years ago

cyroxx commented 4 years ago

At the moment, when there is an error with a particular feed, errors are included in the resulting calendar.

For example, https://open-web-calendar.herokuapp.com/calendar.events.json?specification_url=https://raw.githubusercontent.com/Chaostreff-Potsdam/machbar-kalender/master/calendar-specification.json currently includes the following error:

"Traceback (most recent call last):\n  File \"/app/.heroku/python/lib/python3.7/site-packages/icalendar/parser.py\", line 340, in parts\n    validate_token(name)\n  File \"/app/.heroku/python/lib/python3.7/site-packages/icalendar/parser.py\", line 128, in validate_token\n    raise ValueError(name)\nValueError: <!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n\nDuring handling of the above exception, another exception occurred:\n\nTraceback (most recent call last):\n  File \"/app/conversion_base.py\", line 49, in retrieve_calendar\n    calendars = Calendar.from_ical(calendar_text, multiple=True)\n  File \"/app/.heroku/python/lib/python3.7/site-packages/icalendar/cal.py\", line 330, in from_ical\n    name, params, vals = line.parts()\n  File \"/app/.heroku/python/lib/python3.7/site-packages/icalendar/parser.py\", line 354, in parts\n    % (self, exc)\nValueError: Content line could not be parsed into parts: '<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">': <!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n"

I think, such tracebacks should not be included in the calendar (not only, but also because it contains paths on the server, which is generally not advisable from a security standpoint). Maybe we should introduce a separate validation endpoint?

We're using Polar.sh so you can upvote and help fund this issue. We receive the funding once the issue is completed & confirmed by you. Thank you in advance for helping prioritize & fund our work.

Fund with Polar

niccokunzmann commented 4 years ago

Hi, thanks for the report. There is displaying them on the website and the question if they should be included in the ics feed or not.

For the web page, modifying CSS would do. Also, errors as events were added before the website showed the current advanced error page. So, they can just be hidden.

What do you think? Greetings.

I do not worry about paths as this is a heroku deployment. Generally, I think this is worth another issue.