Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

html escape detail for error message

  • Loading branch information...
commit 479fe8fecad0b33b88e6a9de016980623a77a337 1 parent 89cf625
@nealharris nealharris authored
Showing with 20 additions and 1 deletion.
  1. +1 −1  lib/rack/showstatus.rb
  2. +19 −0 test/spec_showstatus.rb
View
2  lib/rack/showstatus.rb
@@ -96,7 +96,7 @@ def h(obj) # :nodoc:
</table>
</div>
<div id="info">
- <p><%= detail %></p>
+ <p><%=h detail %></p>
</div>
<div id="explanation">
View
19 test/spec_showstatus.rb
@@ -1,6 +1,7 @@
require 'rack/showstatus'
require 'rack/lint'
require 'rack/mock'
+require 'rack/utils'
describe Rack::ShowStatus do
def show_status(app)
@@ -40,6 +41,24 @@ def show_status(app)
res.should =~ /too meta/
end
+ should "escape error" do
+ detail = "<script>alert('hi \"')</script>"
+ req = Rack::MockRequest.new(
+ show_status(
+ lambda{|env|
+ env["rack.showstatus.detail"] = detail
+ [500, {"Content-Type" => "text/plain", "Content-Length" => "0"}, []]
+ }))
+
+ res = req.get("/", :lint => true)
+ res.should.be.not.empty
+
+ res["Content-Type"].should.equal("text/html")
+ res.should =~ /500/
+ res.should.not.include detail
+ res.body.should.include Rack::Utils.escape_html(detail)
+ end
+
should "not replace existing messages" do
req = Rack::MockRequest.new(
show_status(
Please sign in to comment.
Something went wrong with that request. Please try again.