Skip to content

Commit

Permalink
Merge pull request hapijs#3 from wpreul/master
Browse files Browse the repository at this point in the history 
Adding extra XSS protection
  • Loading branch information
Eran Hammer committed Mar 30, 2013
2 parents 3ab4cff + 114b345 commit 0f8640b
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 3 deletions.
6 changes: 3 additions & 3 deletions lib/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ exports = module.exports = internals.Boom = function () {
this.data = error;
this.response.code = error.code || 500;
if (error.message) {
this.message = error.message
this.message = error.message;
}
}
else {
Expand All @@ -53,7 +53,7 @@ exports = module.exports = internals.Boom = function () {

this.response.code = code;
if (message) {
this.message = message
this.message = message;
}
}

Expand All @@ -72,7 +72,7 @@ internals.Boom.prototype.reformat = function () {
this.response.payload.code = this.response.code;
this.response.payload.error = Http.STATUS_CODES[this.response.code] || 'Unknown';
if (this.message) {
this.response.payload.message = this.message;
this.response.payload.message = Hoek.escapeHtml(this.message); // Prevent XSS from error message
}
};

Expand Down
10 changes: 10 additions & 0 deletions test/index.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,16 @@ describe('Boom', function () {
done();
});
});

describe('#reformat', function () {

it('encodes any HTML markup in the response payload', function (done) {

var boom = new Boom(new Error('<script>alert(1)</script>'));
expect(boom.response.payload.message).to.not.contain('<script>');
done();
});
});
});


0 comments on commit 0f8640b

Please sign in to comment.