Encode path output on NotFound screen to avoid tag/script injection i…

…n bogus url
laraf-bol · Sep 27, 2018 · 03c5278 · 03c5278
1 parent 1053a0a
commit 03c5278
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/base-component/webroot/screen/webroot/error/NotFound.xml b/base-component/webroot/screen/webroot/error/NotFound.xml
@@ -22,10 +22,10 @@ along with this software (see the LICENSE.md file). If not, see
                 <h1><i class="glyphicon glyphicon-link text-danger"></i> Page Not Found (${errorCode})</h1>
                 <#if errorThrowable??>
                     <#-- should always be a ScreenResourceNotFoundException -->
-                    <p class="text-danger">Could not find <code>${errorThrowable.pathFromLastScreen!}</code>
+                    <p class="text-danger">Could not find <code>${errorThrowable.pathFromLastScreen!?html}</code>
                         <#if errorThrowable.lastSd??>under ${errorThrowable.lastSd.getDefaultMenuName()}</#if>.</p>
-                    <p class="text-danger">The full path was: <#list errorThrowable.fullPathNameList as pathName><code>${pathName}</code><#if pathName_has_next>/</#if></#list></p>
-                    <#if errorThrowable.resourceLocation??><p class="text-danger">Resource not found at: ${errorThrowable.resourceLocation}</p></#if>
+                    <p class="text-danger">The full path was: <#list errorThrowable.fullPathNameList as pathName><code>${pathName?html}</code><#if pathName_has_next>/</#if></#list></p>
+                    <#if errorThrowable.resourceLocation??><p class="text-danger">Resource not found at: ${errorThrowable.resourceLocation?html}</p></#if>
                 <#else>
                     <p class="text-danger">${errorMessage!""}</p>
                 </#if>