Merge pull request #12 from mkdecisiondev/DEV-146043-error-screen-xss

Escaped error message on error screens to prevent XSS attacks.
mkdecisiondev · Aug 31, 2023 · f21215c · f21215c
2 parents 29c5549 + 3763a70
commit f21215c
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 3 deletions.
diff --git a/base-component/webroot/screen/webroot/error/InternalError.xml b/base-component/webroot/screen/webroot/error/InternalError.xml
@@ -20,7 +20,7 @@ along with this software (see the LICENSE.md file). If not, see
             <p>&nbsp;</p>
             <div class="jumbotron">
                 <h1><i class="fa fa-exclamation-circle text-danger"></i> Internal Server Error (${errorCode})</h1>
-                <p class="text-danger">${errorMessage!""}</p>
+                <p class="text-danger">${(errorMessage!"")?html}</p>
                 <a href="${sri.buildUrl("/").url}" class="btn btn-primary btn-lg" role="button">Go Home</a>
                 <a href="javascript:window.history.back();" class="btn btn-primary btn-lg" role="button">Go Back</a>
                 <#if errorThrowable??><button type="button" class="btn btn-primary btn-lg" data-toggle="modal" data-target="#ErrorDetailModal">See Detail</button></#if>

diff --git a/base-component/webroot/screen/webroot/error/NotFound.xml b/base-component/webroot/screen/webroot/error/NotFound.xml
@@ -27,7 +27,7 @@ along with this software (see the LICENSE.md file). If not, see
                     <p class="text-danger">The full path was: <#list errorThrowable.fullPathNameList as pathName><code>${pathName?html}</code><#if pathName_has_next>/</#if></#list></p>
                     <#if errorThrowable.resourceLocation??><p class="text-danger">Resource not found at: ${errorThrowable.resourceLocation?html}</p></#if>
                 <#else>
-                    <p class="text-danger">${errorMessage!""}</p>
+                    <p class="text-danger">${(errorMessage!"")?html}</p>
                 </#if>
                 <a href="${sri.buildUrl("/").url}" class="btn btn-primary btn-lg" role="button">Go Home</a>
                 <a href="javascript:window.history.back();" class="btn btn-primary btn-lg" role="button">Go Back</a>

diff --git a/base-component/webroot/screen/webroot/error/TooMany.xml b/base-component/webroot/screen/webroot/error/TooMany.xml
@@ -20,7 +20,7 @@ along with this software (see the LICENSE.md file). If not, see
             <p>&nbsp;</p>
             <div class="jumbotron">
                 <h1><i class="fa fa-clock-o text-danger"></i> Too Many Requests (${errorCode})</h1>
-                <p class="text-danger">${errorMessage!""}</p>
+                <p class="text-danger">${(errorMessage!"")?html}</p>
                 <a href="${sri.buildUrl("/").url}" class="btn btn-primary btn-lg" role="button">Go Home</a>
                 <a href="javascript:window.history.back();" class="btn btn-primary btn-lg" role="button">Go Back</a>
             </div>