Ensure arbitrary HTTPException messages are HTML escaped

- These messages can include user-supplied strings
This commit is contained in:
Hypolite Petovan 2023-02-04 19:19:43 -05:00
parent 4e355c0f5e
commit 447709377c
3 changed files with 3 additions and 2 deletions

View File

@ -104,6 +104,7 @@ class HTTPException
$tpl = Renderer::getMarkupTemplate('http_status.tpl'); $tpl = Renderer::getMarkupTemplate('http_status.tpl');
$content = Renderer::replaceMacros($tpl, $vars); $content = Renderer::replaceMacros($tpl, $vars);
} catch (\Exception $e) { } catch (\Exception $e) {
$vars = array_map('htmlentities', $vars);
$content = "<h1>{$vars['$title']}</h1><p>{$vars['$message']}</p>"; $content = "<h1>{$vars['$title']}</h1><p>{$vars['$message']}</p>";
if ($this->isSiteAdmin) { if ($this->isSiteAdmin) {
$content .= "<p>{$vars['$thrown']}</p>"; $content .= "<p>{$vars['$thrown']}</p>";

View File

@ -1,7 +1,7 @@
<div id="exception" class="generic-page-wrapper"> <div id="exception" class="generic-page-wrapper">
<img class="hare" src="images/friendica-404_svg_flexy-o-hare.png"/> <img class="hare" src="images/friendica-404_svg_flexy-o-hare.png"/>
<h1>{{$title}}</h1> <h1>{{$title}}</h1>
<p>{{$message nofilter}}</p> <p>{{$message}}</p>
{{if $thrown}} {{if $thrown}}
<pre>{{$thrown}} <pre>{{$thrown}}
{{$stack_trace}} {{$stack_trace}}

View File

@ -4,7 +4,7 @@
</head> </head>
<body> <body>
<h1>{{$title}}</h1> <h1>{{$title}}</h1>
<p>{{$message nofilter}}</p> <p>{{$message}}</p>
{{if $trace}} {{if $trace}}
<pre>{{$trace nofilter}}</pre> <pre>{{$trace nofilter}}</pre>
{{/if}} {{/if}}