Rev4054, Escape error detail to avoid XSS (reported by krzotr)

2019-04-11 00:37:55 +02:00 · 2019-04-11 00:37:55 +02:00 · a5c7e59601
commit a5c7e59601
parent efbf70726f
2 changed files with 4 additions and 4 deletions
--- a/src/Config.py
+++ b/src/Config.py
@ -13,7 +13,7 @@ class Config(object):

    def __init__(self, argv):
        self.version = "0.7.0"
-        self.rev = 4053
+        self.rev = 4054
        self.argv = argv
        self.action = None
        self.pending_changes = {}
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@ -795,12 +795,12 @@ class UiRequest(object):
    # Send file not found error
    def error404(self, path=""):
        self.sendHeader(404)
-        return self.formatError("Not Found", html.escape(path), details=False)
+        return self.formatError("Not Found", path, details=False)

    # Internal server error
    def error500(self, message=":("):
        self.sendHeader(500)
-        return self.formatError("Server error", html.escape(message))
+        return self.formatError("Server error", message)

    @helper.encodeResponse
    def formatError(self, title, message, details=True):
@ -825,7 +825,7 @@ class UiRequest(object):
                <h3>Please <a href="https://github.com/HelloZeroNet/ZeroNet/issues" target="_blank">report it</a> if you think this an error.</h3>
                <h4>Details:</h4>
                <pre>%s</pre>
-            """ % (title, message, json.dumps(details, indent=4, sort_keys=True))
+            """ % (title, html.escape(message), html.escape(json.dumps(details, indent=4, sort_keys=True)))
        else:
            return """
                <h1>%s</h1>