Ensure arbitrary HTTPException messages are HTML escaped
- These messages can include user-supplied strings
This commit is contained in:
parent
4e355c0f5e
commit
447709377c
3 changed files with 3 additions and 2 deletions
|
@ -104,6 +104,7 @@ class HTTPException
|
|||
$tpl = Renderer::getMarkupTemplate('http_status.tpl');
|
||||
$content = Renderer::replaceMacros($tpl, $vars);
|
||||
} catch (\Exception $e) {
|
||||
$vars = array_map('htmlentities', $vars);
|
||||
$content = "<h1>{$vars['$title']}</h1><p>{$vars['$message']}</p>";
|
||||
if ($this->isSiteAdmin) {
|
||||
$content .= "<p>{$vars['$thrown']}</p>";
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
<div id="exception" class="generic-page-wrapper">
|
||||
<img class="hare" src="images/friendica-404_svg_flexy-o-hare.png"/>
|
||||
<h1>{{$title}}</h1>
|
||||
<p>{{$message nofilter}}</p>
|
||||
<p>{{$message}}</p>
|
||||
{{if $thrown}}
|
||||
<pre>{{$thrown}}
|
||||
{{$stack_trace}}
|
||||
|
|
|
@ -4,7 +4,7 @@
|
|||
</head>
|
||||
<body>
|
||||
<h1>{{$title}}</h1>
|
||||
<p>{{$message nofilter}}</p>
|
||||
<p>{{$message}}</p>
|
||||
{{if $trace}}
|
||||
<pre>{{$trace nofilter}}</pre>
|
||||
{{/if}}
|
||||
|
|
Loading…
Reference in a new issue