Commits

Patrick Streule committed 5e3dae6

ACDEV-1158: Escape HTML error responses

  • Participants
  • Parent commits 6d29038

Comments (0)

Files changed (4)

                             self.emit(webhook.event, webhook.event, req.body, req);
                             res.send(204);
                         } catch (ex) {
-                            res.send(500, ex);
+                            res.send(500, _.escape(ex));
                         }
                     });
         });
                     self.emit('host_settings_saved', settings.clientKey, data);
                     res.send(204);
                 }, function (err) {
-                    res.send(500, 'Could not lookup stored client data for ' + settings.clientKey + ': ' + err);
+                    res.send(500, _.escape('Could not lookup stored client data for ' + settings.clientKey + ': ' + err));
                 });
             });
 };

lib/middleware/authentication.js

 var moment = require('moment');
 var token = require('../internal/token');
 var jwt = require('../internal/jwt');
+var _ = require('lodash');
 
 var authentication = {};
 
 
         function sendError(code, msg) {
             addon.logger.error('Authentication verification error:', code, msg);
-            res.send(code, msg);
+            res.send(code, _.escape(msg));
         }
 
         function success(jwtToken, remoteBaseUrl) {

lib/middleware/token.js

 
 var token = require('../internal/token');
 var request = require('./request');
+var _ = require('lodash');
 
 module.exports = function (addon) {
 
                 function (error) {
                     addon.emit('token_verification_failed');
                     addon.logger.error('Token verification error:', error.message);
-                    res.send(401, error.message);
+                    res.send(401, _.escape(error.message));
                 }
         );
     };

lib/middleware/verify-installation.js

         function sendError(msg) {
             var code = 401;
             addon.logger.error('Installation verification error:', code, msg);
-            res.send(code, msg);
+            res.send(code, _.escape(msg));
         }
 
         var regInfo = req.body;