html escape detail for error message

rack · Jun 23, 2013 · 479fe8f · 479fe8f
1 parent 89cf625
commit 479fe8f
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 1 deletion.
diff --git a/lib/rack/showstatus.rb b/lib/rack/showstatus.rb
@@ -96,7 +96,7 @@ def h(obj)                  # :nodoc:
     </table>
   </div>
   <div id="info">
-    <p><%= detail %></p>
+    <p><%=h detail %></p>
   </div>
 
   <div id="explanation">

diff --git a/test/spec_showstatus.rb b/test/spec_showstatus.rb
@@ -1,6 +1,7 @@
 require 'rack/showstatus'
 require 'rack/lint'
 require 'rack/mock'
+require 'rack/utils'
 
 describe Rack::ShowStatus do
   def show_status(app)
@@ -40,6 +41,24 @@ def show_status(app)
     res.should =~ /too meta/
   end
 
+  should "escape error" do
+    detail = "<script>alert('hi \"')</script>"
+    req = Rack::MockRequest.new(
+      show_status(
+        lambda{|env|
+          env["rack.showstatus.detail"] = detail
+          [500, {"Content-Type" => "text/plain", "Content-Length" => "0"}, []]
+    }))
+
+    res = req.get("/", :lint => true)
+    res.should.be.not.empty
+
+    res["Content-Type"].should.equal("text/html")
+    res.should =~ /500/
+    res.should.not.include detail
+    res.body.should.include Rack::Utils.escape_html(detail)
+  end
+
   should "not replace existing messages" do
     req = Rack::MockRequest.new(
       show_status(