Escape strings in HTML output (XSS fix)

Modify the template producing HTML error responses to correctly
escape all strings that are possibly coming from the client making the
request. Before this change, the error responses were vulnerable to XSS
(cross-site scripting) attacks.

.npmrc

@@ -0,0 +1 @@
+package-lock=false

package.json

@@ -19,7 +19,7 @@
   "dependencies": {
     "accepts": "^1.3.3",
     "debug": "^2.2.0",
-    "ejs": "^2.4.2",
+    "ejs": "^2.5.7",
     "http-status": "^1.0.0",
     "js2xmlparser": "^3.0.0",
     "strong-globalize": "^3.1.0"

test/handler.test.js

@@ -472,6 +472,47 @@ describe('strong-error-handler', function() {
           done);
     });
 
+    it('HTML-escapes all 4xx response properties in production mode',
+      function(done) {
+        const error = new ErrorWithProps({
+          name: 'Error<img onerror=alert(1) src=a>',
+          message:
+            'No instance with id <img onerror=alert(1) src=a> found for Model',
+          statusCode: 404,
+        });
+        givenErrorHandlerForError(error, {debug: false});
+        requestHTML()
+          .end(function(err, res) {
+            expect(res.statusCode).to.eql(404);
+            const body = res.error.text;
+            expect(body).to.match(
+              /<title>Error&lt;img onerror=alert\(1\) src=a&gt;<\/title>/
+            );
+            expect(body).to.match(
+              /with id &lt;img onerror=alert\(1\) src=a&gt; found for Model/
+            );
+            done();
+          });
+      }
+    );
+
+    it('HTML-escapes all 5xx response properties in development mode',
+      function(done) {
+        const error = new ErrorWithProps({
+          message: 'a test error message<img onerror=alert(1) src=a>',
+        });
+        error.statusCode = 500;
+        givenErrorHandlerForError(error, {debug: true});
+        requestHTML()
+          .expect(500)
+          .expect(/<title>ErrorWithProps<\/title>/)
+          .expect(
+            /500(.*?)a test error message&lt;img onerror=alert\(1\) src=a&gt;/,
+            done
+          );
+      }
+    );
+
     it('contains subset of properties when status=4xx', function(done) {
       var error = new ErrorWithProps({
         name: 'ValidationError',

views/default-error.ejs

@@ -1,19 +1,19 @@
 <html>
   <head>
     <meta charset='utf-8'>
-    <title><%- data.name || data.message %></title>
+    <title><%= data.name || data.message %></title>
     <style><%- include style.css %></style>
   </head>
   <body>
     <div id="wrapper">
-      <h1><%- data.name %></h1>
-      <h2><em><%- data.statusCode %></em> <%- data.message %></h2>
+      <h1><%= data.name %></h1>
+      <h2><em><%= data.statusCode %></em> <%= data.message %></h2>
       <%
         // display all the non-standard properties
         var standardProps = ['name', 'statusCode', 'message', 'stack'];
         for (var prop in data) {
           if (standardProps.indexOf(prop) == -1 && data[prop]) { %>
-            <div><b><%- prop %></b>: <%- data[prop] %></div>
+            <div><b><%= prop %></b>: <%= data[prop] %></div>
           <% }
         }
         if (data.stack) { %>