From ef4ec81ab8fe7814d26c2b77c06994a7ba95cfd5 Mon Sep 17 00:00:00 2001
From: tuanaiseo <tuanaiseo@gmail.com>
Date: Thu, 2 Apr 2026 20:52:22 +0700
Subject: [PATCH] fix(security): reflected xss in html error page rendering

The error page template inserts `{errorMessage}` and `{stackTrace}` directly into HTML without escaping. Error messages can include untrusted content (for example, external tool stderr/stdout propagated through exceptions), which could execute script in a browser viewing the error page.

Affected files: error.html

Signed-off-by: tuanaiseo <221258316+tuanaiseo@users.noreply.github.com>
---
 server/src/main/resources/web/error.html | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/server/src/main/resources/web/error.html b/server/src/main/resources/web/error.html
index 1987b0323..b395c8809 100644
--- a/server/src/main/resources/web/error.html
+++ b/server/src/main/resources/web/error.html
@@ -11,11 +11,11 @@
   <div class="container">
     <a href="https://kroki.io" target="_blank" rel="noopener noreferrer">{logo}</a>
     <h1 class="subtitle is-spaced">Convert <strong>plain text</strong> diagrams to <strong>images</strong> !</h1>
-    <h2 class="title">{title}</h2>
+    <h2 class="title">{titleEscaped}</h2>
     <article class="message is-danger">
       <div class="message-body">
-        <strong id="error"><code>{errorCode}</code> {errorMessage}</strong>
-        <ul id="stacktrace">{stackTrace}</ul>
+        <strong id="error"><code>{errorCodeEscaped}</code> {errorMessageEscaped}</strong>
+        <ul id="stacktrace">{stackTraceEscaped}</ul>
       </div>
     </article>
   </div>