Ensure arbitrary HTTPException messages are HTML escaped

- These messages can include user-supplied strings
This commit is contained in:
Hypolite Petovan 2023-02-04 19:19:43 -05:00
parent 4e355c0f5e
commit 447709377c
3 changed files with 3 additions and 2 deletions

View file

@ -104,6 +104,7 @@ class HTTPException
$tpl = Renderer::getMarkupTemplate('http_status.tpl');
$content = Renderer::replaceMacros($tpl, $vars);
} catch (\Exception $e) {
$vars = array_map('htmlentities', $vars);
$content = "<h1>{$vars['$title']}</h1><p>{$vars['$message']}</p>";
if ($this->isSiteAdmin) {
$content .= "<p>{$vars['$thrown']}</p>";

View file

@ -1,7 +1,7 @@
<div id="exception" class="generic-page-wrapper">
<img class="hare" src="images/friendica-404_svg_flexy-o-hare.png"/>
<h1>{{$title}}</h1>
<p>{{$message nofilter}}</p>
<p>{{$message}}</p>
{{if $thrown}}
<pre>{{$thrown}}
{{$stack_trace}}

View file

@ -4,7 +4,7 @@
</head>
<body>
<h1>{{$title}}</h1>
<p>{{$message nofilter}}</p>
<p>{{$message}}</p>
{{if $trace}}
<pre>{{$trace nofilter}}</pre>
{{/if}}