Escape HTML from messages in error page (#4430)
Co-authored-by: Asher <ash@coder.com> Co-authored-by: Joe Previte <jjprevite@gmail.com>
This commit is contained in:
parent
605c3c6367
commit
31d5823d10
@ -6,7 +6,7 @@ import { WebsocketRequest } from "../../../typings/pluginapi"
|
|||||||
import { HttpCode } from "../../common/http"
|
import { HttpCode } from "../../common/http"
|
||||||
import { rootPath } from "../constants"
|
import { rootPath } from "../constants"
|
||||||
import { replaceTemplates } from "../http"
|
import { replaceTemplates } from "../http"
|
||||||
import { getMediaMime } from "../util"
|
import { escapeHtml, getMediaMime } from "../util"
|
||||||
|
|
||||||
const notFoundCodes = ["ENOENT", "EISDIR", "FileNotFound"]
|
const notFoundCodes = ["ENOENT", "EISDIR", "FileNotFound"]
|
||||||
export const errorHandler: express.ErrorRequestHandler = async (err, req, res, next) => {
|
export const errorHandler: express.ErrorRequestHandler = async (err, req, res, next) => {
|
||||||
@ -29,7 +29,7 @@ export const errorHandler: express.ErrorRequestHandler = async (err, req, res, n
|
|||||||
replaceTemplates(req, content)
|
replaceTemplates(req, content)
|
||||||
.replace(/{{ERROR_TITLE}}/g, status)
|
.replace(/{{ERROR_TITLE}}/g, status)
|
||||||
.replace(/{{ERROR_HEADER}}/g, status)
|
.replace(/{{ERROR_HEADER}}/g, status)
|
||||||
.replace(/{{ERROR_BODY}}/g, err.message),
|
.replace(/{{ERROR_BODY}}/g, escapeHtml(err.message)),
|
||||||
)
|
)
|
||||||
} else {
|
} else {
|
||||||
res.json({
|
res.json({
|
||||||
|
35
test/unit/node/routes/errors.test.ts
Normal file
35
test/unit/node/routes/errors.test.ts
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
import express from "express"
|
||||||
|
import { errorHandler } from "../../../../src/node/routes/errors"
|
||||||
|
|
||||||
|
describe("error page is rendered for text/html requests", () => {
|
||||||
|
it("escapes any html in the error messages", async () => {
|
||||||
|
const next = jest.fn()
|
||||||
|
const err = {
|
||||||
|
code: "ENOENT",
|
||||||
|
statusCode: 404,
|
||||||
|
message: ";>hello<script>alert(1)</script>",
|
||||||
|
}
|
||||||
|
const req = createRequest()
|
||||||
|
const res = {
|
||||||
|
status: jest.fn().mockReturnValue(this),
|
||||||
|
send: jest.fn().mockReturnValue(this),
|
||||||
|
set: jest.fn().mockReturnValue(this),
|
||||||
|
} as unknown as express.Response
|
||||||
|
|
||||||
|
await errorHandler(err, req, res, next)
|
||||||
|
expect(res.status).toHaveBeenCalledWith(404)
|
||||||
|
expect(res.send).toHaveBeenCalledWith(expect.not.stringContaining("<script>"))
|
||||||
|
})
|
||||||
|
})
|
||||||
|
|
||||||
|
function createRequest(): express.Request {
|
||||||
|
return {
|
||||||
|
headers: {
|
||||||
|
accept: ["text/html"],
|
||||||
|
},
|
||||||
|
originalUrl: "http://example.com/test",
|
||||||
|
query: {
|
||||||
|
to: "test",
|
||||||
|
},
|
||||||
|
} as unknown as express.Request
|
||||||
|
}
|
Reference in New Issue
Block a user