From e260c194d6379fdbe55e209bbee4358a74bcf77c Mon Sep 17 00:00:00 2001
From: SynacktivCerv <80706218+SynacktivCerv@users.noreply.github.com>
Date: Fri, 11 Mar 2022 21:53:21 +0100
Subject: [PATCH] Update Exceptions.php

In some cases, error messages could lead to Cross-Site Scripting vulnerability. This small fix sanitize potential user input from GET/POST parameters that could be returned into error messages.
---
 system/core/Exceptions.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/system/core/Exceptions.php b/system/core/Exceptions.php
index b1bc2dec5a3..f7dcd9820b1 100644
--- a/system/core/Exceptions.php
+++ b/system/core/Exceptions.php
@@ -171,6 +171,17 @@ public function show_error($heading, $message, $template = 'error_general', $sta
 		else
 		{
 			set_status_header($status_code);
+			if (is_array($message))
+			{
+				foreach ($message as &$value)
+				{
+				   $value = htmlspecialchars($value);
+				}
+			}
+			else
+			{
+				$message = htmlspecialchars($message);
+			}
 			$message = '<p>'.(is_array($message) ? implode('</p><p>', $message) : $message).'</p>';
 			$template = 'html'.DIRECTORY_SEPARATOR.$template;
 		}