Skip to content

Commit 98fa476

Browse files
authored
Merge pull request #5744 from ledgersmb/html-escape-error-messages
Html escape error messages
2 parents 2a818cd + 555eb1d commit 98fa476

File tree

2 files changed

+8
-3
lines changed

2 files changed

+8
-3
lines changed

Diff for: lib/LedgerSMB/PSGI/Util.pm

+2-1
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ use strict;
2424
use warnings;
2525

2626
use Carp;
27+
use HTML::Escape;
2728
use HTTP::Status qw( HTTP_OK HTTP_INTERNAL_SERVER_ERROR HTTP_SEE_OTHER
2829
HTTP_BAD_REQUEST );
2930

@@ -41,7 +42,7 @@ Returns a standard error representation for HTTP status 500
4142

4243

4344
sub internal_server_error {
44-
my ($msg, $title, $company, $dbversion) = @_;
45+
my ($msg, $title, $company, $dbversion) = map { escape_html($_ // '') } @_;
4546

4647
$title //= 'Error!';
4748
$msg =~ s/\n/<br>/g;

Diff for: old/lib/LedgerSMB/oldHandler.pm

+6-2
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,7 @@ use LedgerSMB::Sysconfig;
5757

5858
use Cookie::Baker;
5959
use Digest::MD5;
60+
use HTML::Escape;
6061
use Log::Log4perl;
6162
use Feature::Compat::Try;
6263

@@ -183,14 +184,17 @@ sub handle {
183184
sub _error {
184185
my ($form, $msg, $status) = @_;
185186
$msg = "? _error" if !defined $msg;
187+
my $html_msg = escape_html($msg);
188+
my $html_dbversion = escape_html($form->{dbversion});
189+
my $html_company = escape_html($form->{company});
186190
$status = 500 if ! defined $status;
187191

188192
print qq|Status: $status ISE
189193
Content-Type: text/html; charset=utf-8
190194
191195
<html>
192-
<body><h2 class="error">Error!</h2> <p><b>$msg</b></p>
193-
<p>dbversion: $form->{dbversion}, company: $form->{company}</p>
196+
<body><h2 class="error">Error!</h2> <p><b>$html_msg</b></p>
197+
<p>dbversion: $html_dbversion, company: $html_company</p>
194198
</body>
195199
</html>
196200
|;

0 commit comments

Comments
 (0)