From f715b5ea2e1b75498e253181b4ed74847ba90a08 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Fri, 9 Sep 2016 13:52:34 +0200
Subject: [PATCH] Don't print exception message in HTML

The exception message is potentially influenced by user input and could thus be confusing (e.g. somebody could try to open a file like "Please send a mail to support@foo.com", and then the message would include that string.

It is thus reasonable to not show the exception message by default. Also for the browser view I added an `exit()` at the end, as otherwise the XML exception would be attached.
---
 apps/dav/lib/Files/BrowserErrorPagePlugin.php | 7 +++----
 apps/dav/templates/exception.php              | 5 ++---
 2 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/apps/dav/lib/Files/BrowserErrorPagePlugin.php b/apps/dav/lib/Files/BrowserErrorPagePlugin.php
index 8c257b324b9..b58ce4df874 100644
--- a/apps/dav/lib/Files/BrowserErrorPagePlugin.php
+++ b/apps/dav/lib/Files/BrowserErrorPagePlugin.php
@@ -31,7 +31,6 @@ use Sabre\DAV\Server;
 use Sabre\DAV\ServerPlugin;
 
 class BrowserErrorPagePlugin extends ServerPlugin {
-
 	/** @var Server */
 	private $server;
 
@@ -88,8 +87,7 @@ class BrowserErrorPagePlugin extends ServerPlugin {
 
 	/**
 	 * @codeCoverageIgnore
-	 * @param \Exception $ex
-	 * @param int $httpCode
+	 * @param \Exception $exception
 	 * @return bool|string
 	 */
 	public function generateBody(\Exception $exception) {
@@ -109,10 +107,11 @@ class BrowserErrorPagePlugin extends ServerPlugin {
 		return $content->fetchPage();
 	}
 
-	/*
+	/**
 	 * @codeCoverageIgnore
 	 */
 	public function sendResponse() {
 		$this->server->sapi->sendResponse($this->server->httpResponse);
+		exit();
 	}
 }
diff --git a/apps/dav/templates/exception.php b/apps/dav/templates/exception.php
index ff3d1f3d20d..c4abd205bfc 100644
--- a/apps/dav/templates/exception.php
+++ b/apps/dav/templates/exception.php
@@ -1,7 +1,5 @@
 <?php
 /**
-
- *
  * @author Thomas Müller <thomas.mueller@tmit.eu>
  *
  * @license GNU AGPL version 3 or any later version
@@ -21,10 +19,11 @@
  *
  */
 style('core', ['styles', 'header']);
+
+/** @param $_ array */
 ?>
 <span class="error error-wide">
 	<h2><strong><?php p($_['title']) ?></strong></h2>
-		<p><?php p($_['message']) ?></p>
 	<br>
 
 	<h2><strong><?php p($l->t('Technical details')) ?></strong></h2>
-- 
GitLab