frodovdr/hyperion.ng
1
0
Fork 0
mirror of https://github.com/hyperion-project/hyperion.ng.git synced 2025-03-01 10:33:28 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix Cross Site Scripting Vulnerability 1 (#1720)

Browse Source
This commit is contained in:
LordGrey 2024-04-02 21:44:46 +02:00 committed by GitHub
parent 86d08823a8
commit d5438acbf4
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 10 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
libsrc/webserver/StaticFileServing.cpp
View File

@ -39,12 +39,15 @@ void StaticFileServing::setBaseUrl(const QString& url)
void StaticFileServing::setSSDPDescription(const QString& desc)
{
if(desc.isEmpty())
{
_ssdpDescription.clear();
else
} else
{
_ssdpDescription = desc.toLocal8Bit();
}
}
void StaticFileServing::printErrorToReply (QtHttpReply * reply, QtHttpReply::StatusCode code, QString errorMessage)
void StaticFileServing::printErrorToReply (QtHttpReply * reply, QtHttpReply::StatusCode code, const QString& errorMessage)
{
reply->setStatusCode(code);
reply->addHeader ("Content-Type", QByteArrayLiteral ("text/html"));
@ -62,13 +65,13 @@ void StaticFileServing::printErrorToReply (QtHttpReply * reply, QtHttpReply::Sta
if (errorPage.open (QFile::ReadOnly))
{
QByteArray data = errorPage.readAll();
data = data.replace("{MESSAGE}", errorMessage.toLocal8Bit() );
data = data.replace("{MESSAGE}", QString(errorMessage.toLocal8Bit()).toHtmlEscaped().toLocal8Bit() );
reply->appendRawData (data);
errorPage.close ();
}
else
{
reply->appendRawData (QString(QString::number(code) + " - " +errorMessage).toLocal8Bit());
reply->appendRawData (QString(QString::number(code) + " - " +errorMessage.toLocal8Bit()).toHtmlEscaped().toLocal8Bit());
}
if (errorPageFooter.open (QFile::ReadOnly))
@ -103,7 +106,8 @@ void StaticFileServing::onRequestNeedsReply (QtHttpRequest * request, QtHttpRepl
}
return;
}
else if(uri_parts.at(0) == "description.xml" && !_ssdpDescription.isNull())
if(uri_parts.at(0) == "description.xml" && !_ssdpDescription.isNull())
{
reply->addHeader ("Content-Type", "text/xml");
reply->appendRawData (_ssdpDescription);

2
libsrc/webserver/StaticFileServing.h
View File

@ -37,7 +37,7 @@ private:
Logger * _log;
QByteArray _ssdpDescription;
void printErrorToReply (QtHttpReply * reply, QtHttpReply::StatusCode code, QString errorMessage);
void printErrorToReply (QtHttpReply * reply, QtHttpReply::StatusCode code, const QString& errorMessage);
};