From a5c7e5960175e59a4a6150d42cc5c56cab832d82 Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Thu, 11 Apr 2019 00:37:55 +0200
Subject: [PATCH] Rev4054, Escape error detail to avoid XSS (reported by
 krzotr)

---
 src/Config.py       | 2 +-
 src/Ui/UiRequest.py | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Config.py b/src/Config.py
index f0db230f..6ca35c1d 100644
--- a/src/Config.py
+++ b/src/Config.py
@@ -13,7 +13,7 @@ class Config(object):
 
     def __init__(self, argv):
         self.version = "0.7.0"
-        self.rev = 4053
+        self.rev = 4054
         self.argv = argv
         self.action = None
         self.pending_changes = {}
diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py
index fa9d3054..17cc2833 100644
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@@ -795,12 +795,12 @@ class UiRequest(object):
     # Send file not found error
     def error404(self, path=""):
         self.sendHeader(404)
-        return self.formatError("Not Found", html.escape(path), details=False)
+        return self.formatError("Not Found", path, details=False)
 
     # Internal server error
     def error500(self, message=":("):
         self.sendHeader(500)
-        return self.formatError("Server error", html.escape(message))
+        return self.formatError("Server error", message)
 
     @helper.encodeResponse
     def formatError(self, title, message, details=True):
@@ -825,7 +825,7 @@ class UiRequest(object):
                 <h3>Please <a href="https://github.com/HelloZeroNet/ZeroNet/issues" target="_blank">report it</a> if you think this an error.</h3>
                 <h4>Details:</h4>
                 <pre>%s</pre>
-            """ % (title, message, json.dumps(details, indent=4, sort_keys=True))
+            """ % (title, html.escape(message), html.escape(json.dumps(details, indent=4, sort_keys=True)))
         else:
             return """
                 <h1>%s</h1>