Fix for #182 merged via master.

kernelsauce · Apr 20, 2015 · 677d476 · 677d476
1 parent 5fa4303
commit 677d476
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 2 deletions.
diff --git a/doc/escape.rst b/doc/escape.rst
@@ -41,6 +41,14 @@ Escaping
 	:type s: String
 	:rtype: String
 
+.. function:: html_escape(s)
+
+	Encodes the HTML entities in a string. Helpfull to avoid XSS.
+
+	:param s: String to escape.
+	:type s: String
+	:rtype: String
+
 String trimming
 ---------------
 

diff --git a/turbo/escape.lua b/turbo/escape.lua
@@ -55,6 +55,20 @@ function escape.escape(s)
     return string.gsub(s, "([^A-Za-z0-9_])", _hex)
 end
 
+--- Encodes the HTML entities in a string. Helpfull to avoid XSS.
+-- @param s (String) String to escape.
+function escape.html_escape(s)
+    assert("Expected string in argument #1.")
+    return (string.gsub(s, "[}{\">/<'&]", {
+        ["&"] = "&amp;",
+        ["<"] = "&lt;",
+        [">"] = "&gt;",
+        ['"'] = "&quot;",
+        ["'"] = "&#39;",
+        ["/"] = "&#47;"
+    }))
+end
+
 -- Remove trailing and leading whitespace from string.
 -- @param s String
 function escape.trim(s)

diff --git a/turbo/web.lua b/turbo/web.lua
@@ -1187,7 +1187,7 @@ function web.Application:__call(request)
                     request,
                     500,
                     string.format('<pre style="font-size:12px; font-family:monospace; color:#8B0000;">[web.lua] Error in RequestHandler, %s is dead.\r\n%s\r\n%s\r\n%s</pre>',
-                        thread, _str_borders_down, trace, _str_borders_up))
+                        thread, _str_borders_down, escape.html_escape(trace), _str_borders_up))
             else
                 local thread = coroutine.running()
                 local trace = debug.traceback(coroutine.running(),
@@ -1205,7 +1205,7 @@ function web.Application:__call(request)
                     request,
                     500,
                     string.format('<pre style="font-size:12px; font-family:monospace; color:#8B0000;">[web.lua] Unknown error in RequestHandler, %s is dead.\r\n%s\r\n%s\r\n%s</pre>',
-                        thread, _str_borders_down, trace, _str_borders_up))
+                        thread, _str_borders_down, escape.html_escape(trace), _str_borders_up))
             end
         end
     elseif not handlers and self.default_host then