fix: ensure error messages are escaped (#13050)

benmccann · web-flow · commit 134e36343ef5 · 2024-11-25T13:36:56.000+08:00
diff --git a/.changeset/fast-swans-perform.md b/.changeset/fast-swans-perform.md
@@ -0,0 +1,5 @@
+---
+'@sveltejs/kit': patch
+---
+
+fix: ensure error messages are escaped
diff --git a/packages/kit/src/exports/vite/dev/index.js b/packages/kit/src/exports/vite/dev/index.js
@@ -18,6 +18,7 @@ import { compact } from '../../../utils/array.js';
 import { not_found } from '../utils.js';
 import { SCHEME } from '../../../utils/url.js';
 import { check_feature } from '../../../utils/features.js';
+import { escape_html } from '../../../utils/escape.js';
 
 const cwd = process.cwd();
 
@@ -508,7 +509,7 @@ export async function dev(vite, vite_config, svelte_config) {
 					const error_template = ({ status, message }) => {
 						return error_page
 							.replace(/%sveltekit\.status%/g, String(status))
-							.replace(/%sveltekit\.error\.message%/g, message);
+							.replace(/%sveltekit\.error\.message%/g, escape_html(message));
 					};
 
 					res.writeHead(500, {
diff --git a/packages/kit/src/runtime/server/utils.js b/packages/kit/src/runtime/server/utils.js
@@ -5,6 +5,7 @@ import { negotiate } from '../../utils/http.js';
 import { HttpError } from '../control.js';
 import { fix_stack_trace } from '../shared-server.js';
 import { ENDPOINT_METHODS } from '../../constants.js';
+import { escape_html } from '../../utils/escape.js';
 
 /** @param {any} body */
 export function is_pojo(body) {
@@ -50,7 +51,7 @@ export function allowed_methods(mod) {
  * @param {string} message
  */
 export function static_error_page(options, status, message) {
-	let page = options.templates.error({ status, message });
+	let page = options.templates.error({ status, message: escape_html(message) });
 
 	if (DEV) {
 		// inject Vite HMR client, for easier debugging
