diff options
| author | Santiago Pastorino <santiago@wyeworks.com> | 2013-06-27 11:59:17 -0700 |
|---|---|---|
| committer | Santiago Pastorino <santiago@wyeworks.com> | 2013-06-27 11:59:17 -0700 |
| commit | b33032395de77ec15237c28d603a3962d5c481f2 (patch) | |
| tree | c492270a52c3d3cd6ca0c998c62c12a6a1d66d42 | |
| parent | 89cf6256a46ff1196e53e08cedb14ec8c49308ce (diff) | |
| parent | 479fe8fecad0b33b88e6a9de016980623a77a337 (diff) | |
| download | rack-b33032395de77ec15237c28d603a3962d5c481f2.tar.gz | |
Merge pull request #579 from nealharris/escape-error-message-in-rack-showstatus
html escape detail for error message
| -rw-r--r-- | lib/rack/showstatus.rb | 2 | ||||
| -rw-r--r-- | test/spec_showstatus.rb | 19 |
2 files changed, 20 insertions, 1 deletions
diff --git a/lib/rack/showstatus.rb b/lib/rack/showstatus.rb index 5a9506f2..6892a5b7 100644 --- a/lib/rack/showstatus.rb +++ b/lib/rack/showstatus.rb @@ -96,7 +96,7 @@ TEMPLATE = <<'HTML' </table> </div> <div id="info"> - <p><%= detail %></p> + <p><%=h detail %></p> </div> <div id="explanation"> diff --git a/test/spec_showstatus.rb b/test/spec_showstatus.rb index 6f8e6fe1..5d97e8e5 100644 --- a/test/spec_showstatus.rb +++ b/test/spec_showstatus.rb @@ -1,6 +1,7 @@ require 'rack/showstatus' require 'rack/lint' require 'rack/mock' +require 'rack/utils' describe Rack::ShowStatus do def show_status(app) @@ -40,6 +41,24 @@ describe Rack::ShowStatus do res.should =~ /too meta/ end + should "escape error" do + detail = "<script>alert('hi \"')</script>" + req = Rack::MockRequest.new( + show_status( + lambda{|env| + env["rack.showstatus.detail"] = detail + [500, {"Content-Type" => "text/plain", "Content-Length" => "0"}, []] + })) + + res = req.get("/", :lint => true) + res.should.be.not.empty + + res["Content-Type"].should.equal("text/html") + res.should =~ /500/ + res.should.not.include detail + res.body.should.include Rack::Utils.escape_html(detail) + end + should "not replace existing messages" do req = Rack::MockRequest.new( show_status( |