Ensure arbitrary HTTPException messages are HTML escaped

- These messages can include user-supplied strings
2024-05-17 11:46:43 +02:00 · 2023-02-04 19:19:43 -05:00 · 2023-02-04 19:19:43 -05:00 · 447709377c
parent 4e355c0f5e
commit 447709377c
3 changed files with 3 additions and 2 deletions
--- a/src/Module/Special/HTTPException.php
+++ b/src/Module/Special/HTTPException.php
@ -104,6 +104,7 @@ class HTTPException
 				$tpl     = Renderer::getMarkupTemplate('http_status.tpl');
 				$content = Renderer::replaceMacros($tpl, $vars);
 			} catch (\Exception $e) {
+				$vars = array_map('htmlentities', $vars);
 				$content = "<h1>{$vars['$title']}</h1><p>{$vars['$message']}</p>";
 				if ($this->isSiteAdmin) {
 					$content .= "<p>{$vars['$thrown']}</p>";
--- a/view/templates/exception.tpl
+++ b/view/templates/exception.tpl
@ -1,7 +1,7 @@
 <div id="exception" class="generic-page-wrapper">
    <img class="hare" src="images/friendica-404_svg_flexy-o-hare.png"/>
    <h1>{{$title}}</h1>
-    <p>{{$message nofilter}}</p>
+    <p>{{$message}}</p>
 {{if $thrown}}
 	<pre>{{$thrown}}
 {{$stack_trace}}
--- a/view/templates/http_status.tpl
+++ b/view/templates/http_status.tpl
@ -4,7 +4,7 @@
 	</head>
 	<body>
 		<h1>{{$title}}</h1>
-		<p>{{$message nofilter}}</p>
+		<p>{{$message}}</p>
 	{{if $trace}}
 		<pre>{{$trace nofilter}}</pre>
 	{{/if}}