Sanitize input used in error template (#5498)

As error template is html, and the input used in it is taken from the path, which can be anything, the input needs to be sanitized before added to the template to avoid possible XSS injection.
vaadin · Apr 18, 2019 · 71e14f2 · 71e14f2
1 parent 9f56157
commit 71e14f2
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/flow-server/src/main/java/com/vaadin/flow/router/RouteNotFoundError.java b/flow-server/src/main/java/com/vaadin/flow/router/RouteNotFoundError.java
@@ -23,7 +23,9 @@
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.io.IOUtils;
+import org.jsoup.Jsoup;
 import org.jsoup.nodes.Element;
+import org.jsoup.safety.Whitelist;
 import org.slf4j.LoggerFactory;
 
 import com.vaadin.flow.component.Component;
@@ -47,6 +49,8 @@ public int setErrorParameter(BeforeEnterEvent event,
         if (parameter.hasCustomMessage()) {
             additionalInfo = "Reason: " + parameter.getCustomMessage();
         }
+        path = Jsoup.clean(path, Whitelist.none());
+        additionalInfo = Jsoup.clean(additionalInfo, Whitelist.none());
 
         boolean productionMode = event.getUI().getSession().getConfiguration()
                 .isProductionMode();