Merge pull request #5744 from ledgersmb/html-escape-error-messages

Html escape error messages
ledgersmb · Aug 6, 2021 · 98fa476 · 98fa476
2 parents 2a818cd + 555eb1d
commit 98fa476
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/lib/LedgerSMB/PSGI/Util.pm b/lib/LedgerSMB/PSGI/Util.pm
@@ -24,6 +24,7 @@ use strict;
 use warnings;
 
 use Carp;
+use HTML::Escape;
 use HTTP::Status qw( HTTP_OK HTTP_INTERNAL_SERVER_ERROR HTTP_SEE_OTHER
     HTTP_BAD_REQUEST );
 
@@ -41,7 +42,7 @@ Returns a standard error representation for HTTP status 500
 
 
 sub internal_server_error {
-    my ($msg, $title, $company, $dbversion) = @_;
+    my ($msg, $title, $company, $dbversion) = map { escape_html($_ // '') } @_;
 
     $title //= 'Error!';
     $msg =~ s/\n/<br>/g;

diff --git a/old/lib/LedgerSMB/oldHandler.pm b/old/lib/LedgerSMB/oldHandler.pm
@@ -57,6 +57,7 @@ use LedgerSMB::Sysconfig;
 
 use Cookie::Baker;
 use Digest::MD5;
+use HTML::Escape;
 use Log::Log4perl;
 use Feature::Compat::Try;
 
@@ -183,14 +184,17 @@ sub handle {
 sub _error {
     my ($form, $msg, $status) = @_;
     $msg = "? _error" if !defined $msg;
+    my $html_msg = escape_html($msg);
+    my $html_dbversion = escape_html($form->{dbversion});
+    my $html_company   = escape_html($form->{company});
     $status = 500 if ! defined $status;
 
     print qq|Status: $status ISE
 Content-Type: text/html; charset=utf-8
 
 <html>
-<body><h2 class="error">Error!</h2> <p><b>$msg</b></p>
-<p>dbversion: $form->{dbversion}, company: $form->{company}</p>
+<body><h2 class="error">Error!</h2> <p><b>$html_msg</b></p>
+<p>dbversion: $html_dbversion, company: $html_company</p>
 </body>
 </html>
 |;