Archived
1
0

Escape HTML from messages in error page (#4430)

Co-authored-by: Asher <ash@coder.com>
Co-authored-by: Joe Previte <jjprevite@gmail.com>
This commit is contained in:
Mauricio Garavaglia 2021-11-09 18:39:54 -03:00 committed by GitHub
parent 605c3c6367
commit 31d5823d10
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 37 additions and 2 deletions

View File

@ -6,7 +6,7 @@ import { WebsocketRequest } from "../../../typings/pluginapi"
import { HttpCode } from "../../common/http" import { HttpCode } from "../../common/http"
import { rootPath } from "../constants" import { rootPath } from "../constants"
import { replaceTemplates } from "../http" import { replaceTemplates } from "../http"
import { getMediaMime } from "../util" import { escapeHtml, getMediaMime } from "../util"
const notFoundCodes = ["ENOENT", "EISDIR", "FileNotFound"] const notFoundCodes = ["ENOENT", "EISDIR", "FileNotFound"]
export const errorHandler: express.ErrorRequestHandler = async (err, req, res, next) => { export const errorHandler: express.ErrorRequestHandler = async (err, req, res, next) => {
@ -29,7 +29,7 @@ export const errorHandler: express.ErrorRequestHandler = async (err, req, res, n
replaceTemplates(req, content) replaceTemplates(req, content)
.replace(/{{ERROR_TITLE}}/g, status) .replace(/{{ERROR_TITLE}}/g, status)
.replace(/{{ERROR_HEADER}}/g, status) .replace(/{{ERROR_HEADER}}/g, status)
.replace(/{{ERROR_BODY}}/g, err.message), .replace(/{{ERROR_BODY}}/g, escapeHtml(err.message)),
) )
} else { } else {
res.json({ res.json({

View File

@ -0,0 +1,35 @@
import express from "express"
import { errorHandler } from "../../../../src/node/routes/errors"
describe("error page is rendered for text/html requests", () => {
it("escapes any html in the error messages", async () => {
const next = jest.fn()
const err = {
code: "ENOENT",
statusCode: 404,
message: ";>hello<script>alert(1)</script>",
}
const req = createRequest()
const res = {
status: jest.fn().mockReturnValue(this),
send: jest.fn().mockReturnValue(this),
set: jest.fn().mockReturnValue(this),
} as unknown as express.Response
await errorHandler(err, req, res, next)
expect(res.status).toHaveBeenCalledWith(404)
expect(res.send).toHaveBeenCalledWith(expect.not.stringContaining("<script>"))
})
})
function createRequest(): express.Request {
return {
headers: {
accept: ["text/html"],
},
originalUrl: "http://example.com/test",
query: {
to: "test",
},
} as unknown as express.Request
}