Merge pull request #12773 from MrPetovan/bug/return-xss

Ensure arbitrary HTTPException messages are HTML escaped

src/App/BaseURL.php

@@ -341,7 +341,7 @@ class BaseURL
 	public function redirect(string $toUrl = '', bool $ssl = false)
 	{
 		if (!empty(parse_url($toUrl, PHP_URL_SCHEME))) {
-			throw new HTTPException\InternalServerErrorException("'$toUrl is not a relative path, please use System::externalRedirectTo");
+			throw new HTTPException\InternalServerErrorException("$toUrl is not a relative path, please use System::externalRedirectTo");
 		}
 
 		$redirectTo = $this->get($ssl) . '/' . ltrim($toUrl, '/');

src/Module/Item/Display.php

@@ -37,6 +37,7 @@ use Friendica\Model\Post;
 use Friendica\Model\Profile;
 use Friendica\Model\User;
 use Friendica\Module\Response;
+use Friendica\Module\Special\DisplayNotFound;
 use Friendica\Navigation\Notifications\Repository\Notification;
 use Friendica\Navigation\Notifications\Repository\Notify;
 use Friendica\Protocol\ActivityPub;
@@ -246,14 +247,8 @@ class Display extends BaseModule
 
 		if (empty($item)) {
 			$this->page['aside'] = '';
-			throw new HTTPException\NotFoundException($this->t('Unfortunately, the requested conversation isn\'t available to you.</p>
-<p>Possible reasons include:</p>
-<ul>
-	<li>The top-level post isn\'t visible.</li>
-	<li>The top-level post was deleted.</li>
-	<li>The node has blocked the top-level author or the author of the shared post.</li>
-	<li>You have ignored or blocked the top-level author or the author of the shared post.</li>
-</ul><p>'));
+			$displayNotFound = new DisplayNotFound($this->l10n, $this->baseUrl, $this->args, $this->logger, $this->profiler, $this->response, $this->server, $this->parameters);
+			return $displayNotFound->content();
 		}
 
 		$item['uri-id'] = $item['parent-uri-id'];

src/Module/Special/DisplayNotFound.php

@@ -0,0 +1,49 @@
+<?php
+/**
+ * @copyright Copyright (C) 2010-2023, the Friendica project
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace Friendica\Module\Special;
+
+use Friendica\Core\Renderer;
+
+/**
+ * This is a special case of the HTTPException module where the message is intended to be HTML.
+ * This module should be called directly from the Display module and shouldn't be routed to.
+ */
+class DisplayNotFound extends \Friendica\BaseModule
+{
+	protected function content(array $request = []): string
+	{
+		$tpl = Renderer::getMarkupTemplate('special/displaynotfound.tpl');
+		return Renderer::replaceMacros($tpl, [
+			'$l10n' => [
+				'title'   => $this->t('Not Found'),
+				'message' => $this->t("<p>Unfortunately, the requested conversation isn't available to you.</p>
+<p>Possible reasons include:</p>
+<ul>
+	<li>The top-level post isn't visible.</li>
+	<li>The top-level post was deleted.</li>
+	<li>The node has blocked the top-level author or the author of the shared post.</li>
+	<li>You have ignored or blocked the top-level author or the author of the shared post.</li>
+</ul>"),
+			]
+		]);
+	}
+}

src/Module/Special/HTTPException.php

@@ -104,6 +104,7 @@ class HTTPException
 				$tpl     = Renderer::getMarkupTemplate('http_status.tpl');
 				$content = Renderer::replaceMacros($tpl, $vars);
 			} catch (\Exception $e) {
+				$vars = array_map('htmlentities', $vars);
 				$content = "<h1>{$vars['$title']}</h1><p>{$vars['$message']}</p>";
 				if ($this->isSiteAdmin) {
 					$content .= "<p>{$vars['$thrown']}</p>";

view/lang/C/messages.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: 2023.03-dev\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2023-01-23 06:47+0000\n"
+"POT-Creation-Date: 2023-02-04 19:53-0500\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -1925,39 +1925,39 @@ msgstr ""
 msgid "last"
 msgstr ""
 
-#: src/Content/Text/BBCode.php:1015 src/Content/Text/BBCode.php:1877
-#: src/Content/Text/BBCode.php:1878
+#: src/Content/Text/BBCode.php:949 src/Content/Text/BBCode.php:1811
+#: src/Content/Text/BBCode.php:1812
 msgid "Image/photo"
 msgstr ""
 
-#: src/Content/Text/BBCode.php:1232
+#: src/Content/Text/BBCode.php:1166
 #, php-format
 msgid ""
 "<a href=\"%1$s\" target=\"_blank\" rel=\"noopener noreferrer\">%2$s</a> %3$s"
 msgstr ""
 
-#: src/Content/Text/BBCode.php:1257 src/Model/Item.php:3572
+#: src/Content/Text/BBCode.php:1191 src/Model/Item.php:3572
 #: src/Model/Item.php:3578 src/Model/Item.php:3579
 msgid "Link to source"
 msgstr ""
 
-#: src/Content/Text/BBCode.php:1795 src/Content/Text/HTML.php:929
+#: src/Content/Text/BBCode.php:1729 src/Content/Text/HTML.php:929
 msgid "Click to open/close"
 msgstr ""
 
-#: src/Content/Text/BBCode.php:1826
+#: src/Content/Text/BBCode.php:1760
 msgid "$1 wrote:"
 msgstr ""
 
-#: src/Content/Text/BBCode.php:1882 src/Content/Text/BBCode.php:1883
+#: src/Content/Text/BBCode.php:1816 src/Content/Text/BBCode.php:1817
 msgid "Encrypted content"
 msgstr ""
 
-#: src/Content/Text/BBCode.php:2110
+#: src/Content/Text/BBCode.php:2044
 msgid "Invalid source protocol"
 msgstr ""
 
-#: src/Content/Text/BBCode.php:2125
+#: src/Content/Text/BBCode.php:2059
 msgid "Invalid link protocol"
 msgstr ""
 
@@ -2896,68 +2896,68 @@ msgstr ""
 msgid "Forum"
 msgstr ""
 
-#: src/Model/Contact.php:2929
+#: src/Model/Contact.php:2942
 msgid "Disallowed profile URL."
 msgstr ""
 
-#: src/Model/Contact.php:2934 src/Module/Friendica.php:83
+#: src/Model/Contact.php:2947 src/Module/Friendica.php:83
 msgid "Blocked domain"
 msgstr ""
 
-#: src/Model/Contact.php:2939
+#: src/Model/Contact.php:2952
 msgid "Connect URL missing."
 msgstr ""
 
-#: src/Model/Contact.php:2948
+#: src/Model/Contact.php:2961
 msgid ""
 "The contact could not be added. Please check the relevant network "
 "credentials in your Settings -> Social Networks page."
 msgstr ""
 
-#: src/Model/Contact.php:2966
+#: src/Model/Contact.php:2979
 #, php-format
 msgid "Expected network %s does not match actual network %s"
 msgstr ""
 
-#: src/Model/Contact.php:2983
+#: src/Model/Contact.php:2996
 msgid "The profile address specified does not provide adequate information."
 msgstr ""
 
-#: src/Model/Contact.php:2985
+#: src/Model/Contact.php:2998
 msgid "No compatible communication protocols or feeds were discovered."
 msgstr ""
 
-#: src/Model/Contact.php:2988
+#: src/Model/Contact.php:3001
 msgid "An author or name was not found."
 msgstr ""
 
-#: src/Model/Contact.php:2991
+#: src/Model/Contact.php:3004
 msgid "No browser URL could be matched to this address."
 msgstr ""
 
-#: src/Model/Contact.php:2994
+#: src/Model/Contact.php:3007
 msgid ""
 "Unable to match @-style Identity Address with a known protocol or email "
 "contact."
 msgstr ""
 
-#: src/Model/Contact.php:2995
+#: src/Model/Contact.php:3008
 msgid "Use mailto: in front of address to force email check."
 msgstr ""
 
-#: src/Model/Contact.php:3001
+#: src/Model/Contact.php:3014
 msgid ""
 "The profile address specified belongs to a network which has been disabled "
 "on this site."
 msgstr ""
 
-#: src/Model/Contact.php:3006
+#: src/Model/Contact.php:3019
 msgid ""
 "Limited profile. This person will be unable to receive direct/personal "
 "notifications from you."
 msgstr ""
 
-#: src/Model/Contact.php:3071
+#: src/Model/Contact.php:3084
 msgid "Unable to retrieve contact information."
 msgstr ""
 
@@ -3188,7 +3188,7 @@ msgstr ""
 msgid "[no subject]"
 msgstr ""
 
-#: src/Model/Photo.php:1178 src/Module/Media/Photo/Upload.php:198
+#: src/Model/Photo.php:1184 src/Module/Media/Photo/Upload.php:198
 msgid "Wall Photos"
 msgstr ""
 
@@ -5373,26 +5373,26 @@ msgstr ""
 msgid "User registrations waiting for confirmation"
 msgstr ""
 
-#: src/Module/BaseApi.php:255 src/Module/BaseApi.php:271
-#: src/Module/BaseApi.php:287
+#: src/Module/BaseApi.php:266 src/Module/BaseApi.php:282
+#: src/Module/BaseApi.php:298
 msgid "Too Many Requests"
 msgstr ""
 
-#: src/Module/BaseApi.php:256
+#: src/Module/BaseApi.php:267
 #, php-format
 msgid "Daily posting limit of %d post reached. The post was rejected."
 msgid_plural "Daily posting limit of %d posts reached. The post was rejected."
 msgstr[0] ""
 msgstr[1] ""
 
-#: src/Module/BaseApi.php:272
+#: src/Module/BaseApi.php:283
 #, php-format
 msgid "Weekly posting limit of %d post reached. The post was rejected."
 msgid_plural "Weekly posting limit of %d posts reached. The post was rejected."
 msgstr[0] ""
 msgstr[1] ""
 
-#: src/Module/BaseApi.php:288
+#: src/Module/BaseApi.php:299
 #, php-format
 msgid "Monthly posting limit of %d post reached. The post was rejected."
 msgid_plural ""
@@ -5875,7 +5875,7 @@ msgstr[1] ""
 #: src/Module/Contact/Follow.php:69 src/Module/Contact/Redir.php:62
 #: src/Module/Contact/Redir.php:222 src/Module/Conversation/Community.php:194
 #: src/Module/Debug/ItemBody.php:38 src/Module/Diaspora/Receive.php:57
-#: src/Module/Item/Display.php:95 src/Module/Item/Feed.php:59
+#: src/Module/Item/Display.php:96 src/Module/Item/Feed.php:59
 #: src/Module/Item/Follow.php:41 src/Module/Item/Ignore.php:41
 #: src/Module/Item/Pin.php:41 src/Module/Item/Pin.php:56
 #: src/Module/Item/Star.php:42 src/Module/Update/Display.php:37
@@ -7158,24 +7158,10 @@ msgid ""
 "<a href=\"/settings/display\">Theme Customization settings</a>."
 msgstr ""
 
-#: src/Module/Item/Display.php:135 src/Module/Update/Display.php:55
+#: src/Module/Item/Display.php:136 src/Module/Update/Display.php:55
 msgid "The requested item doesn't exist or has been deleted."
 msgstr ""
 
-#: src/Module/Item/Display.php:249
-msgid ""
-"Unfortunately, the requested conversation isn't available to you.</p>\n"
-"<p>Possible reasons include:</p>\n"
-"<ul>\n"
-"\t<li>The top-level post isn't visible.</li>\n"
-"\t<li>The top-level post was deleted.</li>\n"
-"\t<li>The node has blocked the top-level author or the author of the shared "
-"post.</li>\n"
-"\t<li>You have ignored or blocked the top-level author or the author of the "
-"shared post.</li>\n"
-"</ul><p>"
-msgstr ""
-
 #: src/Module/Item/Feed.php:86
 msgid "The feed for this item is unavailable."
 msgstr ""
@@ -8068,7 +8054,7 @@ msgstr ""
 msgid "Unsupported or missing response type"
 msgstr ""
 
-#: src/Module/OAuth/Authorize.php:59 src/Module/OAuth/Token.php:76
+#: src/Module/OAuth/Authorize.php:59 src/Module/OAuth/Token.php:77
 msgid "Incomplete request data"
 msgstr ""
 
@@ -8079,11 +8065,11 @@ msgid ""
 "close this window: %s"
 msgstr ""
 
-#: src/Module/OAuth/Token.php:81
+#: src/Module/OAuth/Token.php:82
 msgid "Invalid data or unknown client"
 msgstr ""
 
-#: src/Module/OAuth/Token.php:100
+#: src/Module/OAuth/Token.php:104
 msgid "Unsupported or missing grant type"
 msgstr ""
 
@@ -8264,20 +8250,20 @@ msgstr ""
 
 #: src/Module/Profile/Conversations.php:106
 #: src/Module/Profile/Conversations.php:109 src/Module/Profile/Profile.php:351
-#: src/Module/Profile/Profile.php:354 src/Protocol/Feed.php:1025
-#: src/Protocol/OStatus.php:1045
+#: src/Module/Profile/Profile.php:354 src/Protocol/Feed.php:1026
+#: src/Protocol/OStatus.php:1007
 #, php-format
 msgid "%s's timeline"
 msgstr ""
 
 #: src/Module/Profile/Conversations.php:107 src/Module/Profile/Profile.php:352
-#: src/Protocol/Feed.php:1029 src/Protocol/OStatus.php:1050
+#: src/Protocol/Feed.php:1030 src/Protocol/OStatus.php:1012
 #, php-format
 msgid "%s's posts"
 msgstr ""
 
 #: src/Module/Profile/Conversations.php:108 src/Module/Profile/Profile.php:353
-#: src/Protocol/Feed.php:1032 src/Protocol/OStatus.php:1054
+#: src/Protocol/Feed.php:1033 src/Protocol/OStatus.php:1016
 #, php-format
 msgid "%s's comments"
 msgstr ""
@@ -10359,6 +10345,24 @@ msgid ""
 "e.g. Mastodon."
 msgstr ""
 
+#: src/Module/Special/DisplayNotFound.php:37
+msgid "Not Found"
+msgstr ""
+
+#: src/Module/Special/DisplayNotFound.php:38
+msgid ""
+"<p>Unfortunately, the requested conversation isn't available to you.</p>\n"
+"<p>Possible reasons include:</p>\n"
+"<ul>\n"
+"\t<li>The top-level post isn't visible.</li>\n"
+"\t<li>The top-level post was deleted.</li>\n"
+"\t<li>The node has blocked the top-level author or the author of the shared "
+"post.</li>\n"
+"\t<li>You have ignored or blocked the top-level author or the author of the "
+"shared post.</li>\n"
+"</ul>"
+msgstr ""
+
 #: src/Module/Special/HTTPException.php:78
 msgid "Stack trace:"
 msgstr ""
@@ -11332,21 +11336,21 @@ msgstr ""
 msgid "(no subject)"
 msgstr ""
 
-#: src/Protocol/OStatus.php:1470
+#: src/Protocol/OStatus.php:1388
 #, php-format
 msgid "%s is now following %s."
 msgstr ""
 
-#: src/Protocol/OStatus.php:1471
+#: src/Protocol/OStatus.php:1389
 msgid "following"
 msgstr ""
 
-#: src/Protocol/OStatus.php:1474
+#: src/Protocol/OStatus.php:1392
 #, php-format
 msgid "%s stopped following %s."
 msgstr ""
 
-#: src/Protocol/OStatus.php:1475
+#: src/Protocol/OStatus.php:1393
 msgid "stopped following"
 msgstr ""
 

view/templates/exception.tpl

@@ -1,7 +1,7 @@
 <div id="exception" class="generic-page-wrapper">
     <img class="hare" src="images/friendica-404_svg_flexy-o-hare.png"/>
     <h1>{{$title}}</h1>
-    <p>{{$message nofilter}}</p>
+    <p>{{$message}}</p>
 {{if $thrown}}
 	<pre>{{$thrown}}
 {{$stack_trace}}

view/templates/http_status.tpl

@@ -4,7 +4,7 @@
 	</head>
 	<body>
 		<h1>{{$title}}</h1>
-		<p>{{$message nofilter}}</p>
+		<p>{{$message}}</p>
 	{{if $trace}}
 		<pre>{{$trace nofilter}}</pre>
 	{{/if}}

view/templates/special/displaynotfound.tpl

@@ -0,0 +1,5 @@
+<div id="exception" class="generic-page-wrapper">
+	<img class="hare" src="images/friendica-404_svg_flexy-o-hare.png"/>
+	<h1>{{$title}}</h1>
+	{{$message nofilter}}
+</div>