fix: escape error message in ErrorPresenter to prevent XSS vulnerabil…

…ities
poweradmin · Dec 2, 2023 · c79f9ae · c79f9ae
1 parent c051086
commit c79f9ae
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/lib/Application/Presenter/ErrorPresenter.php b/lib/Application/Presenter/ErrorPresenter.php
@@ -46,8 +46,9 @@ private function sanitizeMessage(string $message): string
 
     private function renderError(string $msg, ?string $name): void
     {
+        $safeMsg = htmlspecialchars($msg, ENT_QUOTES, 'UTF-8');
         $safeName = htmlspecialchars($name, ENT_QUOTES, 'UTF-8');
-        $errorContent = ($name !== null) ? "$msg (Record: $safeName)" : $msg;
+        $errorContent = ($name !== null) ? "$safeMsg (Record: $safeName)" : $safeMsg;
 
         echo <<<HTML
         <div class="alert alert-danger">