diff options
author | Neal Harris <neal@squareup.com> | 2013-06-21 14:35:37 -0700 |
---|---|---|
committer | Neal Harris <neal@squareup.com> | 2013-06-23 10:56:09 -0700 |
commit | 479fe8fecad0b33b88e6a9de016980623a77a337 (patch) | |
tree | c492270a52c3d3cd6ca0c998c62c12a6a1d66d42 | |
parent | 89cf6256a46ff1196e53e08cedb14ec8c49308ce (diff) | |
download | rack-479fe8fecad0b33b88e6a9de016980623a77a337.tar.gz |
html escape detail for error message
-rw-r--r-- | lib/rack/showstatus.rb | 2 | ||||
-rw-r--r-- | test/spec_showstatus.rb | 19 |
2 files changed, 20 insertions, 1 deletions
diff --git a/lib/rack/showstatus.rb b/lib/rack/showstatus.rb index 5a9506f2..6892a5b7 100644 --- a/lib/rack/showstatus.rb +++ b/lib/rack/showstatus.rb @@ -96,7 +96,7 @@ TEMPLATE = <<'HTML' </table> </div> <div id="info"> - <p><%= detail %></p> + <p><%=h detail %></p> </div> <div id="explanation"> diff --git a/test/spec_showstatus.rb b/test/spec_showstatus.rb index 6f8e6fe1..5d97e8e5 100644 --- a/test/spec_showstatus.rb +++ b/test/spec_showstatus.rb @@ -1,6 +1,7 @@ require 'rack/showstatus' require 'rack/lint' require 'rack/mock' +require 'rack/utils' describe Rack::ShowStatus do def show_status(app) @@ -40,6 +41,24 @@ describe Rack::ShowStatus do res.should =~ /too meta/ end + should "escape error" do + detail = "<script>alert('hi \"')</script>" + req = Rack::MockRequest.new( + show_status( + lambda{|env| + env["rack.showstatus.detail"] = detail + [500, {"Content-Type" => "text/plain", "Content-Length" => "0"}, []] + })) + + res = req.get("/", :lint => true) + res.should.be.not.empty + + res["Content-Type"].should.equal("text/html") + res.should =~ /500/ + res.should.not.include detail + res.body.should.include Rack::Utils.escape_html(detail) + end + should "not replace existing messages" do req = Rack::MockRequest.new( show_status( |