Escape HTML from messages in error page (#4430)
Co-authored-by: Asher <ash@coder.com> Co-authored-by: Joe Previte <jjprevite@gmail.com>
This commit is contained in:
parent
605c3c6367
commit
31d5823d10
|
@ -6,7 +6,7 @@ import { WebsocketRequest } from "../../../typings/pluginapi"
|
|||
import { HttpCode } from "../../common/http"
|
||||
import { rootPath } from "../constants"
|
||||
import { replaceTemplates } from "../http"
|
||||
import { getMediaMime } from "../util"
|
||||
import { escapeHtml, getMediaMime } from "../util"
|
||||
|
||||
const notFoundCodes = ["ENOENT", "EISDIR", "FileNotFound"]
|
||||
export const errorHandler: express.ErrorRequestHandler = async (err, req, res, next) => {
|
||||
|
@ -29,7 +29,7 @@ export const errorHandler: express.ErrorRequestHandler = async (err, req, res, n
|
|||
replaceTemplates(req, content)
|
||||
.replace(/{{ERROR_TITLE}}/g, status)
|
||||
.replace(/{{ERROR_HEADER}}/g, status)
|
||||
.replace(/{{ERROR_BODY}}/g, err.message),
|
||||
.replace(/{{ERROR_BODY}}/g, escapeHtml(err.message)),
|
||||
)
|
||||
} else {
|
||||
res.json({
|
||||
|
|
|
@ -0,0 +1,35 @@
|
|||
import express from "express"
|
||||
import { errorHandler } from "../../../../src/node/routes/errors"
|
||||
|
||||
describe("error page is rendered for text/html requests", () => {
|
||||
it("escapes any html in the error messages", async () => {
|
||||
const next = jest.fn()
|
||||
const err = {
|
||||
code: "ENOENT",
|
||||
statusCode: 404,
|
||||
message: ";>hello<script>alert(1)</script>",
|
||||
}
|
||||
const req = createRequest()
|
||||
const res = {
|
||||
status: jest.fn().mockReturnValue(this),
|
||||
send: jest.fn().mockReturnValue(this),
|
||||
set: jest.fn().mockReturnValue(this),
|
||||
} as unknown as express.Response
|
||||
|
||||
await errorHandler(err, req, res, next)
|
||||
expect(res.status).toHaveBeenCalledWith(404)
|
||||
expect(res.send).toHaveBeenCalledWith(expect.not.stringContaining("<script>"))
|
||||
})
|
||||
})
|
||||
|
||||
function createRequest(): express.Request {
|
||||
return {
|
||||
headers: {
|
||||
accept: ["text/html"],
|
||||
},
|
||||
originalUrl: "http://example.com/test",
|
||||
query: {
|
||||
to: "test",
|
||||
},
|
||||
} as unknown as express.Request
|
||||
}
|
Loading…
Reference in New Issue