From c0d81021dfbb4324a9933455ca41e467cfa63b06 Mon Sep 17 00:00:00 2001
From: shortcutme <tamas@zeronet.io>
Date: Thu, 11 Apr 2019 00:48:16 +0200
Subject: [PATCH] Rev3861, Escape error detail to avoid XSS (reported by
 krzotr)

---
 src/Config.py       | 2 +-
 src/Ui/UiRequest.py | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/Config.py b/src/Config.py
index b74c4e68..7ce63c52 100644
--- a/src/Config.py
+++ b/src/Config.py
@@ -13,7 +13,7 @@ class Config(object):
 
     def __init__(self, argv):
         self.version = "0.6.5"
-        self.rev = 3860
+        self.rev = 3861
         self.argv = argv
         self.action = None
         self.pending_changes = {}
diff --git a/src/Ui/UiRequest.py b/src/Ui/UiRequest.py
index 04374e27..717c5c0b 100644
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@@ -799,12 +799,12 @@ class UiRequest(object):
     # Send file not found error
     def error404(self, path=""):
         self.sendHeader(404)
-        return self.formatError("Not Found", cgi.escape(path.encode("utf8")), details=False)
+        return self.formatError("Not Found", path.encode("utf8"), details=False)
 
     # Internal server error
     def error500(self, message=":("):
         self.sendHeader(500)
-        return self.formatError("Server error", cgi.escape(message))
+        return self.formatError("Server error", message)
 
     def formatError(self, title, message, details=True):
         import sys
@@ -828,7 +828,7 @@ class UiRequest(object):
                 <h3>Please <a href="https://github.com/HelloZeroNet/ZeroNet/issues" target="_blank">report it</a> if you think this an error.</h3>
                 <h4>Details:</h4>
                 <pre>%s</pre>
-            """ % (title, message, json.dumps(details, indent=4, sort_keys=True))
+            """ % (title, cgi.escape(message), cgi.escape(json.dumps(details, indent=4, sort_keys=True)))
         else:
             return """
                 <h1>%s</h1>