From 3bf69fd21ff221a475a941a0b3e3e9dc100f272f Mon Sep 17 00:00:00 2001
From: Aaron van Geffen <aaron@aaronweb.net>
Date: Wed, 10 Mar 2021 17:09:01 +0100
Subject: [PATCH] Prevent XSS in error log viewer.

---
 controllers/ManageErrors.php | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/controllers/ManageErrors.php b/controllers/ManageErrors.php
index 6e8d41fb..6113e048 100644
--- a/controllers/ManageErrors.php
+++ b/controllers/ManageErrors.php
@@ -47,9 +47,13 @@ class ManageErrors extends HTMLController
 					'parse' => [
 						'type' => 'function',
 						'data' => function($row) {
-							return $row['message'] . '<br><div><a onclick="this.parentNode.childNodes[1].style.display=\'block\';this.style.display=\'none\';">Show debug info</a>' .
-								'<pre style="display: none">' . $row['debug_info'] . '</pre></div>' .
-								'<small><a href="' . BASEURL . $row['request_uri'] . '">' . $row['request_uri'] . '</a></small>';
+							return $row['message'] . '<br>' .
+								'<div><a onclick="this.parentNode.childNodes[1].style.display=\'block\';this.style.display=\'none\';">Show debug info</a>' .
+								'<pre style="display: none">' . htmlspecialchars($row['debug_info']) .
+								'</pre></div>' .
+								'<small><a href="' . BASEURL .
+									htmlspecialchars($row['request_uri']) . '">' .
+									htmlspecialchars($row['request_uri']) . '</a></small>';
 						}
 					],
 					'header' => 'Message / URL',