Rev3861, Escape error detail to avoid XSS (reported by krzotr)

2019-04-11 00:48:16 +02:00 · 2019-04-11 00:48:16 +02:00 · c0d81021df
commit c0d81021df
parent 5d81467083
2 changed files with 4 additions and 4 deletions
--- a/src/Config.py
+++ b/src/Config.py
@ -13,7 +13,7 @@ class Config(object):

    def __init__(self, argv):
        self.version = "0.6.5"
-        self.rev = 3860
+        self.rev = 3861
        self.argv = argv
        self.action = None
        self.pending_changes = {}
--- a/src/Ui/UiRequest.py
+++ b/src/Ui/UiRequest.py
@ -799,12 +799,12 @@ class UiRequest(object):
    # Send file not found error
    def error404(self, path=""):
        self.sendHeader(404)
-        return self.formatError("Not Found", cgi.escape(path.encode("utf8")), details=False)
+        return self.formatError("Not Found", path.encode("utf8"), details=False)

    # Internal server error
    def error500(self, message=":("):
        self.sendHeader(500)
-        return self.formatError("Server error", cgi.escape(message))
+        return self.formatError("Server error", message)

    def formatError(self, title, message, details=True):
        import sys
@ -828,7 +828,7 @@ class UiRequest(object):
                <h3>Please <a href="https://github.com/HelloZeroNet/ZeroNet/issues" target="_blank">report it</a> if you think this an error.</h3>
                <h4>Details:</h4>
                <pre>%s</pre>
-            """ % (title, message, json.dumps(details, indent=4, sort_keys=True))
+            """ % (title, cgi.escape(message), cgi.escape(json.dumps(details, indent=4, sort_keys=True)))
        else:
            return """
                <h1>%s</h1>