From 31d5823d1071dc1481c4524157265157c7f292b2 Mon Sep 17 00:00:00 2001 From: Mauricio Garavaglia Date: Tue, 9 Nov 2021 18:39:54 -0300 Subject: [PATCH] Escape HTML from messages in error page (#4430) Co-authored-by: Asher Co-authored-by: Joe Previte --- src/node/routes/errors.ts | 4 ++-- test/unit/node/routes/errors.test.ts | 35 ++++++++++++++++++++++++++++ 2 files changed, 37 insertions(+), 2 deletions(-) create mode 100644 test/unit/node/routes/errors.test.ts diff --git a/src/node/routes/errors.ts b/src/node/routes/errors.ts index 757e9f744..66f424ac2 100644 --- a/src/node/routes/errors.ts +++ b/src/node/routes/errors.ts @@ -6,7 +6,7 @@ import { WebsocketRequest } from "../../../typings/pluginapi" import { HttpCode } from "../../common/http" import { rootPath } from "../constants" import { replaceTemplates } from "../http" -import { getMediaMime } from "../util" +import { escapeHtml, getMediaMime } from "../util" const notFoundCodes = ["ENOENT", "EISDIR", "FileNotFound"] export const errorHandler: express.ErrorRequestHandler = async (err, req, res, next) => { @@ -29,7 +29,7 @@ export const errorHandler: express.ErrorRequestHandler = async (err, req, res, n replaceTemplates(req, content) .replace(/{{ERROR_TITLE}}/g, status) .replace(/{{ERROR_HEADER}}/g, status) - .replace(/{{ERROR_BODY}}/g, err.message), + .replace(/{{ERROR_BODY}}/g, escapeHtml(err.message)), ) } else { res.json({ diff --git a/test/unit/node/routes/errors.test.ts b/test/unit/node/routes/errors.test.ts new file mode 100644 index 000000000..ffa8f4791 --- /dev/null +++ b/test/unit/node/routes/errors.test.ts @@ -0,0 +1,35 @@ +import express from "express" +import { errorHandler } from "../../../../src/node/routes/errors" + +describe("error page is rendered for text/html requests", () => { + it("escapes any html in the error messages", async () => { + const next = jest.fn() + const err = { + code: "ENOENT", + statusCode: 404, + message: ";>hello", + } + const req = createRequest() + const res = { + status: jest.fn().mockReturnValue(this), + send: jest.fn().mockReturnValue(this), + set: jest.fn().mockReturnValue(this), + } as unknown as express.Response + + await errorHandler(err, req, res, next) + expect(res.status).toHaveBeenCalledWith(404) + expect(res.send).toHaveBeenCalledWith(expect.not.stringContaining("