mirror of
https://git.proxmox.com/git/proxmox-widget-toolkit
synced 2025-05-06 15:37:17 +00:00
utils: always html-encode response message
while this is something that only the user that made the request will see, and for most people the possibility of "hacking" themselves is rather redundant, it is still not nice to have this possible in general; as even if it's highly unlikely that there ever can be an error triggered to another user via API2 request handling, hardening against it is simply to cheap to not do it. Reported-by: Marcel Fromkorth <marcel.fromkorth@8com.de> Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
This commit is contained in:
Thomas Lamprecht
parent
d53046d66b
commit
cf93d1da50
@ -396,7 +396,7 @@ utilities: {
|
||||
if (!result.success) {
|
||||
msg = gettext("Unknown error");
|
||||
if (result.message) {
|
||||
msg = result.message;
|
||||
msg = Ext.htmlEncode(result.message);
|
||||
if (result.status) {
|
||||
msg += ` (${result.status})`;
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user