upstream/mattermost
1
0
Fork 0
mirror of https://github.com/mattermost/mattermost.git synced 2026-05-28 04:35:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

encode special characters on some error pages (#35492)

Browse source
This commit is contained in:
Carlos Garcia 2026-03-10 12:54:42 +01:00 committed by GitHub
parent 7e0af2de57
commit 5a1ea95044
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 47 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
server/channels/utils/api.go
View file

@ -93,7 +93,7 @@ func RenderMobileAuthComplete(w http.ResponseWriter, redirectURL string) {
<h2> `+i18n.T("api.oauth.auth_complete")+` </h2>
<p id="redirecting-message"> `+i18n.T("api.oauth.redirecting_back")+` </p>
<p id="close-tab-message" style="display: none"> `+i18n.T("api.oauth.close_browser")+` </p>
<p> `+i18n.T("api.oauth.click_redirect", model.StringInterface{"Link": link})+` </p>
<p> `+string(i18n.TranslateAsHTML(i18n.T, "api.oauth.click_redirect", map[string]any{"Link": redirectURL}))+` </p>
<meta http-equiv="refresh" content="2; url=`+link+`">
<script>
window.onload = function() {
@ -110,7 +110,7 @@ func RenderMobileError(config *model.Config, w http.ResponseWriter, err *model.A
var link = template.HTMLEscapeString(redirectURL)
u, redirectErr := url.Parse(redirectURL)
if redirectErr != nil || !slices.Contains(config.NativeAppSettings.AppCustomURLSchemes, u.Scheme) {
link = *config.ServiceSettings.SiteURL
link = template.HTMLEscapeString(*config.ServiceSettings.SiteURL)
}
RenderMobileMessage(w, `
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 576 512" style="width: 64px; height: 64px; fill: #ccc">
@ -118,9 +118,9 @@ func RenderMobileError(config *model.Config, w http.ResponseWriter, err *model.A
<path d="M569.517 440.013C587.975 472.007 564.806 512 527.94 512H48.054c-36.937 0-59.999-40.055-41.577-71.987L246.423 23.985c18.467-32.009 64.72-31.951 83.154 0l239.94 416.028zM288 354c-25.405 0-46 20.595-46 46s20.595 46 46 46 46-20.595 46-46-20.595-46-46-46zm-43.673-165.346l7.418 136c.347 6.364 5.609 11.346 11.982 11.346h48.546c6.373 0 11.635-4.982 11.982-11.346l7.418-136c.375-6.874-5.098-12.654-11.982-12.654h-63.383c-6.884 0-12.356 5.78-11.981 12.654z"/>
</svg>
<h2> `+i18n.T("error")+` </h2>
<p> `+err.Message+` </p>
<p> `+template.HTMLEscapeString(err.Message)+` </p>
<a href="`+link+`">
`+i18n.T("api.back_to_app", map[string]any{"SiteName": config.TeamSettings.SiteName})+`
`+string(i18n.TranslateAsHTML(i18n.T, "api.back_to_app", map[string]any{"SiteName": config.TeamSettings.SiteName}))+`
</a>
`)
}

43
server/channels/utils/api_test.go
View file

@ -14,12 +14,14 @@ import (
"net/http"
"net/http/httptest"
"net/url"
"strings"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/mattermost/mattermost/server/public/model"
"github.com/mattermost/mattermost/server/public/shared/i18n"
)
func TestRenderWebError(t *testing.T) {
@ -49,3 +51,44 @@ func TestRenderWebError(t *testing.T) {
h := sha256.Sum256([]byte("/error?foo=bar"))
assert.True(t, ecdsa.Verify(&key.PublicKey, h[:], rs.R, rs.S))
}
func TestRenderMobileError(t *testing.T) {
require.NoError(t, i18n.TranslationsPreInitFromFileBytes("en.json", []byte(`[{"id":"api.back_to_app","translation":"Back to {{.SiteName}}"}]`)))
cfg := &model.Config{}
cfg.SetDefaults()
*cfg.ServiceSettings.SiteURL = "http://localhost:8065"
*cfg.TeamSettings.SiteName = "Mattermost<test>"
cfg.NativeAppSettings.AppCustomURLSchemes = []string{"mattermost"}
appErr := model.NewAppError("test", "api.test.error", nil, "details", http.StatusBadRequest)
appErr.Message = "Something went <wrong>"
t.Run("renders html with special characters encoded in site name", func(t *testing.T) {
w := httptest.NewRecorder()
RenderMobileError(cfg, w, appErr, "mattermost://auth/complete")
body := w.Body.String()
assert.Equal(t, http.StatusOK, w.Code)
assert.Contains(t, body, "Mattermost&lt;test&gt;")
assert.NotContains(t, body, "Mattermost<test>")
})
t.Run("renders html with special characters encoded in error message", func(t *testing.T) {
w := httptest.NewRecorder()
RenderMobileError(cfg, w, appErr, "mattermost://auth/complete")
body := w.Body.String()
assert.Contains(t, body, "Something went &lt;wrong&gt;")
assert.NotContains(t, body, "Something went <wrong>")
})
t.Run("falls back to site url for invalid redirect scheme", func(t *testing.T) {
w := httptest.NewRecorder()
RenderMobileError(cfg, w, appErr, "https://evil.example.com/callback")
body := w.Body.String()
assert.Contains(t, body, "http://localhost:8065")
assert.False(t, strings.Contains(body, "evil.example.com"))
})
}