Escape error messages

xp-forge · Aug 16, 2017 · c179c9c · c179c9c
1 parent 62473e4
commit c179c9c
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 4 deletions.
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -3,6 +3,11 @@ Web change log
 
 ## ?.?.? / ????-??-??
 
+## 0.6.3 / 2017-08-16
+
+* Prevented possible security problems by escaping error messages
+  (@thekid)
+
 ## 0.6.2 / 2017-07-07
 
 * Added support for prefork mode; use `-m prefork[,n]` on command line

diff --git a/src/main/php/web/error.html b/src/main/php/web/error.html
@@ -18,7 +18,7 @@ <h1>
         <span id="message">%2$s</span>
       </h1>
       <p id="detail">%3$s</p>
-      <xmp id="trace">%4$s</xmp>
+      <pre id="trace">%4$s</pre>
     </div>
   </body>
 </html>
diff --git a/src/main/php/xp/web/HttpProtocol.class.php b/src/main/php/xp/web/HttpProtocol.class.php
@@ -43,9 +43,9 @@ private function sendError($request, $response, $error) {
       $response->send(sprintf(
         $loader->getResource($variant),
         $error->status(),
-        $message,
-        $error->getMessage(),
-        $error->toString()
+        htmlspecialchars($message),
+        htmlspecialchars($error->getMessage()),
+        htmlspecialchars($error->toString())
       ));
       break;
     }