Rev4054, Escape error detail to avoid XSS (reported by krzotr)
This commit is contained in:
parent
efbf70726f
commit
a5c7e59601
2 changed files with 4 additions and 4 deletions
|
@ -13,7 +13,7 @@ class Config(object):
|
|||
|
||||
def __init__(self, argv):
|
||||
self.version = "0.7.0"
|
||||
self.rev = 4053
|
||||
self.rev = 4054
|
||||
self.argv = argv
|
||||
self.action = None
|
||||
self.pending_changes = {}
|
||||
|
|
|
@ -795,12 +795,12 @@ class UiRequest(object):
|
|||
# Send file not found error
|
||||
def error404(self, path=""):
|
||||
self.sendHeader(404)
|
||||
return self.formatError("Not Found", html.escape(path), details=False)
|
||||
return self.formatError("Not Found", path, details=False)
|
||||
|
||||
# Internal server error
|
||||
def error500(self, message=":("):
|
||||
self.sendHeader(500)
|
||||
return self.formatError("Server error", html.escape(message))
|
||||
return self.formatError("Server error", message)
|
||||
|
||||
@helper.encodeResponse
|
||||
def formatError(self, title, message, details=True):
|
||||
|
@ -825,7 +825,7 @@ class UiRequest(object):
|
|||
<h3>Please <a href="https://github.com/HelloZeroNet/ZeroNet/issues" target="_blank">report it</a> if you think this an error.</h3>
|
||||
<h4>Details:</h4>
|
||||
<pre>%s</pre>
|
||||
""" % (title, message, json.dumps(details, indent=4, sort_keys=True))
|
||||
""" % (title, html.escape(message), html.escape(json.dumps(details, indent=4, sort_keys=True)))
|
||||
else:
|
||||
return """
|
||||
<h1>%s</h1>
|
||||
|
|
Loading…
Reference in a new issue