Html escape traceback text in

CHANGES.txt

@@ -6,6 +6,8 @@ CHANGES
 
 - Add `aiohttp.web.StreamResponse.started` property #213
 
+- Html escape traceback text in `ServerHttpProtocol.handle_error`
+
 
 0.13.0 (12-29-2014)
 -------------------

aiohttp/server.py

@@ -8,6 +8,8 @@
 import traceback
 import socket
 
+from html import escape as html_escape
+
 import aiohttp
 from aiohttp import errors, streams, helpers
 from aiohttp.log import server_logger, access_logger
@@ -299,6 +301,7 @@ def handle_error(self, status=500,
             if self.debug and exc is not None:
                 try:
                     tb = traceback.format_exc()
+                    tb = html_escape(tb)
                     msg += '<br><h2>Traceback:</h2>\n<pre>{}</pre>'.format(tb)
                 except:
                     pass

tests/test_http_server.py

@@ -5,6 +5,8 @@
 import unittest
 import unittest.mock
 
+from html import escape
+
 from aiohttp import server
 from aiohttp import errors
 from aiohttp import test_utils
@@ -260,9 +262,8 @@ def test_handle_error__utf(self):
             [c[1][0] for c in list(srv.writer.write.mock_calls)])
         self.assertIn(b'HTTP/1.1 500 Internal Server Error', content)
         self.assertIn(b'CONTENT-TYPE: text/html; charset=utf-8', content)
-        self.assertIn(
-            "raise RuntimeError('что-то пошло не так')".encode('utf-8'),
-            content)
+        pattern = escape("raise RuntimeError('что-то пошло не так')")
+        self.assertIn(pattern.encode('utf-8'), content)
         self.assertFalse(srv._keep_alive)
 
         srv.logger.exception.assert_called_with("Error handling request")