Ensure arbitrary HTTPException messages are HTML escaped

- These messages can include user-supplied strings

diff --git a/src/Module/Special/HTTPException.php b/src/Module/Special/HTTPException.php
index 9c9a29c55fd8c171b71a9eedc6cbaaf858f9d018..8a8cc30ebb99dcd7ae98acaf8e97699164240aa8 100644 (file)
--- a/src/Module/Special/HTTPException.php
+++ b/src/Module/Special/HTTPException.php
@@ -104,6 +104,7 @@ class HTTPException
                                $tpl     = Renderer::getMarkupTemplate('http_status.tpl');
                                $content = Renderer::replaceMacros($tpl, $vars);
                        } catch (\Exception $e) {
+                               $vars = array_map('htmlentities', $vars);
                                $content = "<h1>{$vars['$title']}</h1><p>{$vars['$message']}</p>";
                                if ($this->isSiteAdmin) {
                                        $content .= "<p>{$vars['$thrown']}</p>";

diff --git a/view/templates/exception.tpl b/view/templates/exception.tpl
index 3499a5cb158417520f01f61ac21184ce8059db0f..cdeb6d96f051aa840d9c7b78e7a2ab0ae00c2b06 100644 (file)
--- a/view/templates/exception.tpl
+++ b/view/templates/exception.tpl
@@ -1,7 +1,7 @@
 <div id="exception" class="generic-page-wrapper">
     <img class="hare" src="images/friendica-404_svg_flexy-o-hare.png"/>
     <h1>{{$title}}</h1>
-    <p>{{$message nofilter}}</p>
+    <p>{{$message}}</p>
 {{if $thrown}}
        <pre>{{$thrown}}
 {{$stack_trace}}

diff --git a/view/templates/http_status.tpl b/view/templates/http_status.tpl
index 874bf96691672f9d178447784a2a33ed8d751247..bd6ecb3a5345e6b2aae875c84d5b4e3070be8bcc 100644 (file)
--- a/view/templates/http_status.tpl
+++ b/view/templates/http_status.tpl
@@ -4,7 +4,7 @@
        </head>
        <body>
                <h1>{{$title}}</h1>
-               <p>{{$message nofilter}}</p>
+               <p>{{$message}}</p>
        {{if $trace}}
                <pre>{{$trace nofilter}}</pre>
        {{/if}}