Escape HTML from messages in error page (#4430)

Co-authored-by: N Asher <ash@coder.com> Co-authored-by: N Joe Previte <jjprevite@gmail.com>

Escape HTML from messages in error page (#4430)
Co-authored-by: N Asher <ash@coder.com> Co-authored-by: N Joe Previte <jjprevite@gmail.com>
31d5823d · Mauricio Garavaglia · GitHub · 605c3c63 · 31d5823d · 31d5823d
隐藏空白更改
内联并排

Showing with 37 addition and 2 deletion

src/node/routes/errors.ts src/node/routes/errors.ts +2 -2

test/unit/node/routes/errors.test.ts test/unit/node/routes/errors.test.ts +35 -0

未找到文件。
--- a/src/node/routes/errors.ts
+++ b/src/node/routes/errors.ts
@@ -6,7 +6,7 @@ import { WebsocketRequest } from "../../../typings/pluginapi"
 import { HttpCode } from "../../common/http"
 import { rootPath } from "../constants"
 import { replaceTemplates } from "../http"
-import { getMediaMime } from "../util"
+import { escapeHtml, getMediaMime } from "../util"

 const notFoundCodes = ["ENOENT", "EISDIR", "FileNotFound"]
 export const errorHandler: express.ErrorRequestHandler = async (err, req, res, next) => {
@@ -29,7 +29,7 @@ export const errorHandler: express.ErrorRequestHandler = async (err, req, res, n
      replaceTemplates(req, content)
        .replace(/{{ERROR_TITLE}}/g, status)
        .replace(/{{ERROR_HEADER}}/g, status)
-        .replace(/{{ERROR_BODY}}/g, err.message),
+        .replace(/{{ERROR_BODY}}/g, escapeHtml(err.message)),
    )
  } else {
    res.json({

--- a/test/unit/node/routes/errors.test.ts
+++ b/test/unit/node/routes/errors.test.ts
+import express from "express"
+import { errorHandler } from "../../../../src/node/routes/errors"
+
+describe("error page is rendered for text/html requests", () => {
+  it("escapes any html in the error messages", async () => {
+    const next = jest.fn()
+    const err = {
+      code: "ENOENT",
+      statusCode: 404,
+      message: ";>hello<script>alert(1)</script>",
+    }
+    const req = createRequest()
+    const res = {
+      status: jest.fn().mockReturnValue(this),
+      send: jest.fn().mockReturnValue(this),
+      set: jest.fn().mockReturnValue(this),
+    } as unknown as express.Response
+
+    await errorHandler(err, req, res, next)
+    expect(res.status).toHaveBeenCalledWith(404)
+    expect(res.send).toHaveBeenCalledWith(expect.not.stringContaining("<script>"))
+  })
+})
+
+function createRequest(): express.Request {
+  return {
+    headers: {
+      accept: ["text/html"],
+    },
+    originalUrl: "http://example.com/test",
+    query: {
+      to: "test",
+    },
+  } as unknown as express.Request
+}