From: Hypolite Petovan <hypolite@mrpetovan.com>
Date: Sun, 5 Feb 2023 00:19:43 +0000 (-0500)
Subject: Ensure arbitrary HTTPException messages are HTML escaped
X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=447709377c9597a0a742d0953acac58408123936;p=friendica.git

Ensure arbitrary HTTPException messages are HTML escaped

- These messages can include user-supplied strings
---

diff --git a/src/Module/Special/HTTPException.php b/src/Module/Special/HTTPException.php
index 9c9a29c55f..8a8cc30ebb 100644
--- a/src/Module/Special/HTTPException.php
+++ b/src/Module/Special/HTTPException.php
@@ -104,6 +104,7 @@ class HTTPException
 				$tpl     = Renderer::getMarkupTemplate('http_status.tpl');
 				$content = Renderer::replaceMacros($tpl, $vars);
 			} catch (\Exception $e) {
+				$vars = array_map('htmlentities', $vars);
 				$content = "<h1>{$vars['$title']}</h1><p>{$vars['$message']}</p>";
 				if ($this->isSiteAdmin) {
 					$content .= "<p>{$vars['$thrown']}</p>";
diff --git a/view/templates/exception.tpl b/view/templates/exception.tpl
index 3499a5cb15..cdeb6d96f0 100644
--- a/view/templates/exception.tpl
+++ b/view/templates/exception.tpl
@@ -1,7 +1,7 @@
 <div id="exception" class="generic-page-wrapper">
     <img class="hare" src="images/friendica-404_svg_flexy-o-hare.png"/>
     <h1>{{$title}}</h1>
-    <p>{{$message nofilter}}</p>
+    <p>{{$message}}</p>
 {{if $thrown}}
 	<pre>{{$thrown}}
 {{$stack_trace}}
diff --git a/view/templates/http_status.tpl b/view/templates/http_status.tpl
index 874bf96691..bd6ecb3a53 100644
--- a/view/templates/http_status.tpl
+++ b/view/templates/http_status.tpl
@@ -4,7 +4,7 @@
 	</head>
 	<body>
 		<h1>{{$title}}</h1>
-		<p>{{$message nofilter}}</p>
+		<p>{{$message}}</p>
 	{{if $trace}}
 		<pre>{{$trace nofilter}}</pre>
 	{{/if}}