fix: escape unsafe characters in html response

koajs · Aug 18, 2018 · 46a79dd · 46a79dd
1 parent 052fea1
commit 46a79dd
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 2 deletions.
diff --git a/index.js b/index.js
@@ -3,6 +3,7 @@
 const http = require('http');
 const path = require('path');
 const fs = require('fs');
+const escapeHtml = require('escape-html');
 
 const env = process.env.NODE_ENV || 'development';
 const isDev = env === 'development';
@@ -125,7 +126,7 @@ function json(err, ctx) {
 
 function html(err, ctx) {
   ctx.body = defaultTemplate
-    .replace('{{status}}', err.status)
-    .replace('{{stack}}', err.stack);
+    .replace('{{status}}', escapeHtml(err.status))
+    .replace('{{stack}}', escapeHtml(err.stack));
   ctx.type = 'html';
 }
diff --git a/package.json b/package.json
@@ -44,5 +44,8 @@
   },
   "ci": {
     "version": "8, 9"
+  },
+  "dependencies": {
+    "escape-html": "^1.0.3"
   }
 }
diff --git a/test/html.test.js b/test/html.test.js
@@ -43,6 +43,19 @@ describe('html.test.js', function() {
     .expect(/<p>Looks like something broke!<\/p>/)
     .expect(/ENOENT/, done);
   });
+
+  it('should unsafe error ok', function(done) {
+    const app = new koa();
+    app.on('error', function() {});
+    onerror(app);
+    app.use(unsafeError);
+
+    request(app.callback())
+    .get('/')
+    .set('Accept', 'text/html')
+    .expect(/<p>Looks like something broke!<\/p>/)
+    .expect(/&lt;anonymous&gt;/, done);
+  });
 });
 
 function commonError() {
@@ -59,3 +72,7 @@ async function commonSleepError() {
 function streamError(ctx) {
   ctx.body = fs.createReadStream('not exist');
 }
+
+function unsafeError() {
+  throw new Error('<anonymous>');
+}