From 71e14f28a6ba513952674e38bad72df46f21a5ed Mon Sep 17 00:00:00 2001
From: Tatu Lund <tatu@vaadin.com>
Date: Thu, 18 Apr 2019 14:02:22 +0300
Subject: [PATCH] Sanitize input used in error template (#5498)

As error template is html, and the input used in it is taken from the path, which can be anything, the input needs to be sanitized before added to the template to avoid possible XSS injection.
---
 .../main/java/com/vaadin/flow/router/RouteNotFoundError.java  | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/flow-server/src/main/java/com/vaadin/flow/router/RouteNotFoundError.java b/flow-server/src/main/java/com/vaadin/flow/router/RouteNotFoundError.java
index 217ba5caa45..3943c07a4bd 100644
--- a/flow-server/src/main/java/com/vaadin/flow/router/RouteNotFoundError.java
+++ b/flow-server/src/main/java/com/vaadin/flow/router/RouteNotFoundError.java
@@ -23,7 +23,9 @@
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.io.IOUtils;
+import org.jsoup.Jsoup;
 import org.jsoup.nodes.Element;
+import org.jsoup.safety.Whitelist;
 import org.slf4j.LoggerFactory;
 
 import com.vaadin.flow.component.Component;
@@ -47,6 +49,8 @@ public int setErrorParameter(BeforeEnterEvent event,
         if (parameter.hasCustomMessage()) {
             additionalInfo = "Reason: " + parameter.getCustomMessage();
         }
+        path = Jsoup.clean(path, Whitelist.none());
+        additionalInfo = Jsoup.clean(additionalInfo, Whitelist.none());
 
         boolean productionMode = event.getUI().getSession().getConfiguration()
                 .isProductionMode();