Escape HTML from messages in error page (#4430)

Co-authored-by: Asher <ash@coder.com> Co-authored-by: Joe Previte <jjprevite@gmail.com>
2021-11-09 18:39:54 -03:00
parent 605c3c6367
commit 31d5823d10
2 changed files with 37 additions and 2 deletions
--- a/src/node/routes/errors.ts
+++ b/src/node/routes/errors.ts
@ -6,7 +6,7 @@ import { WebsocketRequest } from "../../../typings/pluginapi"
 import { HttpCode } from "../../common/http"
 import { rootPath } from "../constants"
 import { replaceTemplates } from "../http"
-import { getMediaMime } from "../util"
+import { escapeHtml, getMediaMime } from "../util"

 const notFoundCodes = ["ENOENT", "EISDIR", "FileNotFound"]
 export const errorHandler: express.ErrorRequestHandler = async (err, req, res, next) => {
@ -29,7 +29,7 @@ export const errorHandler: express.ErrorRequestHandler = async (err, req, res, n
      replaceTemplates(req, content)
        .replace(/{{ERROR_TITLE}}/g, status)
        .replace(/{{ERROR_HEADER}}/g, status)
-        .replace(/{{ERROR_BODY}}/g, err.message),
+        .replace(/{{ERROR_BODY}}/g, escapeHtml(err.message)),
    )
  } else {
    res.json({