From d9816ce1fbea0c6219c6660fda6887375c5f1e84 Mon Sep 17 00:00:00 2001
From: Richard Gebhardt <gebhardt@us.ibm.com>
Date: Thu, 17 Jun 2021 19:12:44 -0400
Subject: [PATCH] escape widget error message; prevent xss

---
 lib/dashing/app.rb | 6 +++++-
 test/app_test.rb   | 8 ++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/dashing/app.rb b/lib/dashing/app.rb
index ed86bfd..4e392e0 100644
--- a/lib/dashing/app.rb
+++ b/lib/dashing/app.rb
@@ -25,6 +25,10 @@ def protected!
     # override with auth logic
   end
 
+  def h(text)
+    Rack::Utils.escape_html(text)
+  end
+
   def authenticated?(token)
     return true unless settings.auth_token
     token && Rack::Utils.secure_compare(settings.auth_token, token)
@@ -129,7 +133,7 @@ def authenticated?(token)
     return Tilt[language].new(file).render if File.exist?(file)
   end
 
-  "Drats! Unable to find a widget file named: #{params[:widget]} to render."
+  "Drats! Unable to find a widget file named: #{h(params[:widget])} to render."
 end
 
 Thin::Server.class_eval do
diff --git a/test/app_test.rb b/test/app_test.rb
index cd6a36c..d31fd4f 100644
--- a/test/app_test.rb
+++ b/test/app_test.rb
@@ -200,6 +200,14 @@ def test_get_nonexistent_widget
     end
   end
 
+  def test_get_xss_widget
+    with_generated_project do
+      get '/views/nowidget-<h1>.html'
+      assert_equal 200, last_response.status
+      assert_equal last_response.body, 'Drats! Unable to find a widget file named: nowidget-&lt;h1&gt; to render.'
+    end
+  end
+
   def with_generated_project
     source_path = File.expand_path('../../templates', __FILE__)