fix xss on error page

2025-04-25 06:16:58 +00:00 · 2022-12-02 17:19:43 +01:00 · 2022-12-02 17:19:43 +01:00 · 019d942249
commit 019d942249
parent dcf03fc078
3 changed files with 58 additions and 16 deletions
--- a/html/error.go
+++ b/html/error.go
@ -15,16 +15,28 @@ func ReturnErrorPage(ctx *context.Context, msg string, statusCode int) {
 	ctx.RespWriter.Header().Set("Content-Type", "text/html; charset=utf-8")
 	ctx.RespWriter.WriteHeader(statusCode)

-	if msg == "" {
-		msg = errorBody(statusCode)
-	} else {
-		// TODO: use template engine
-		msg = strings.ReplaceAll(strings.ReplaceAll(ErrorPage, "%message%", msg), "%status%", http.StatusText(statusCode))
-	}
+	msg = generateResponse(msg, statusCode)

 	_, _ = ctx.RespWriter.Write([]byte(msg))
 }

+// TODO: use template engine
+func generateResponse(msg string, statusCode int) string {
+	if msg == "" {
+		msg = strings.ReplaceAll(NotFoundPage,
+			"%status%",
+			strconv.Itoa(statusCode)+" "+errorMessage(statusCode))
+
+	} else {
+		msg = strings.ReplaceAll(
+			strings.ReplaceAll(ErrorPage, "%message%", template.HTMLEscapeString(msg)),
+			"%status%",
+			http.StatusText(statusCode))
+	}
+
+	return msg
+}
+
 func errorMessage(statusCode int) string {
 	message := http.StatusText(statusCode)

@ -37,11 +49,3 @@ func errorMessage(statusCode int) string {

 	return message
 }
-
-// TODO: use template engine
-func errorBody(statusCode int) string {
-	return template.HTMLEscapeString(
-		strings.ReplaceAll(NotFoundPage,
-			"%status%",
-			strconv.Itoa(statusCode)+" "+errorMessage(statusCode)))
-}