From 447709377c9597a0a742d0953acac58408123936 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Sat, 4 Feb 2023 19:19:43 -0500 Subject: [PATCH] Ensure arbitrary HTTPException messages are HTML escaped - These messages can include user-supplied strings --- src/Module/Special/HTTPException.php | 1 + view/templates/exception.tpl | 2 +- view/templates/http_status.tpl | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/src/Module/Special/HTTPException.php b/src/Module/Special/HTTPException.php index 9c9a29c55..8a8cc30eb 100644 --- a/src/Module/Special/HTTPException.php +++ b/src/Module/Special/HTTPException.php @@ -104,6 +104,7 @@ class HTTPException $tpl = Renderer::getMarkupTemplate('http_status.tpl'); $content = Renderer::replaceMacros($tpl, $vars); } catch (\Exception $e) { + $vars = array_map('htmlentities', $vars); $content = "

{$vars['$title']}

{$vars['$message']}

"; if ($this->isSiteAdmin) { $content .= "

{$vars['$thrown']}

"; diff --git a/view/templates/exception.tpl b/view/templates/exception.tpl index 3499a5cb1..cdeb6d96f 100644 --- a/view/templates/exception.tpl +++ b/view/templates/exception.tpl @@ -1,7 +1,7 @@

{{$title}}

-

{{$message nofilter}}

+

{{$message}}

{{if $thrown}}
{{$thrown}}
 {{$stack_trace}}
diff --git a/view/templates/http_status.tpl b/view/templates/http_status.tpl
index 874bf9669..bd6ecb3a5 100644
--- a/view/templates/http_status.tpl
+++ b/view/templates/http_status.tpl
@@ -4,7 +4,7 @@
 	
 	
 		

{{$title}}

-

{{$message nofilter}}

+

{{$message}}

{{if $trace}}
{{$trace nofilter}}
{{/if}}