From 49cd7aa02021281b2b6ce971ede3785fa88bfd92 Mon Sep 17 00:00:00 2001
From: maliming <malimings@gmail.com>
Date: Wed, 1 Mar 2023 16:11:47 +0800
Subject: [PATCH] Encode the text in the
 `MultiTenancyMiddlewareErrorPageBuilder`.

---
 .../AbpAspNetCoreMultiTenancyOptions.cs       |  5 ++--
 ...TenancyMiddlewareErrorPageBuilder_Tests.cs | 26 +++++++++++++++++++
 2 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 framework/test/Volo.Abp.AspNetCore.MultiTenancy.Tests/Volo/Abp/AspNetCore/MultiTenancy/AspNetCoreMultiTenancy_MultiTenancyMiddlewareErrorPageBuilder_Tests.cs

diff --git a/framework/src/Volo.Abp.AspNetCore.MultiTenancy/Volo/Abp/AspNetCore/MultiTenancy/AbpAspNetCoreMultiTenancyOptions.cs b/framework/src/Volo.Abp.AspNetCore.MultiTenancy/Volo/Abp/AspNetCore/MultiTenancy/AbpAspNetCoreMultiTenancyOptions.cs
index 4e4411756d..447861a788 100644
--- a/framework/src/Volo.Abp.AspNetCore.MultiTenancy/Volo/Abp/AspNetCore/MultiTenancy/AbpAspNetCoreMultiTenancyOptions.cs
+++ b/framework/src/Volo.Abp.AspNetCore.MultiTenancy/Volo/Abp/AspNetCore/MultiTenancy/AbpAspNetCoreMultiTenancyOptions.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Globalization;
 using System.Net;
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
 using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.DependencyInjection;
@@ -42,8 +43,8 @@ public class AbpAspNetCoreMultiTenancyOptions
             var message = exception.Message;
             var details = exception is BusinessException businessException ? businessException.Details : string.Empty;
 
-            await context.Response.WriteAsync($"<html lang=\"{CultureInfo.CurrentCulture.Name}\"><body>\r\n");
-            await context.Response.WriteAsync($"<h3>{message}</h3>{details}<br>\r\n");
+            await context.Response.WriteAsync($"<html lang=\"{HtmlEncoder.Default.Encode(CultureInfo.CurrentCulture.Name)}\"><body>\r\n");
+            await context.Response.WriteAsync($"<h3>{HtmlEncoder.Default.Encode(message)}</h3>{HtmlEncoder.Default.Encode(details)}<br>\r\n");
             await context.Response.WriteAsync("</body></html>\r\n");
 
             // Note the 500 spaces are to work around an IE 'feature'
diff --git a/framework/test/Volo.Abp.AspNetCore.MultiTenancy.Tests/Volo/Abp/AspNetCore/MultiTenancy/AspNetCoreMultiTenancy_MultiTenancyMiddlewareErrorPageBuilder_Tests.cs b/framework/test/Volo.Abp.AspNetCore.MultiTenancy.Tests/Volo/Abp/AspNetCore/MultiTenancy/AspNetCoreMultiTenancy_MultiTenancyMiddlewareErrorPageBuilder_Tests.cs
new file mode 100644
index 0000000000..8932745f29
--- /dev/null
+++ b/framework/test/Volo.Abp.AspNetCore.MultiTenancy.Tests/Volo/Abp/AspNetCore/MultiTenancy/AspNetCoreMultiTenancy_MultiTenancyMiddlewareErrorPageBuilder_Tests.cs
@@ -0,0 +1,26 @@
+using System.Collections.Generic;
+using System.Net;
+using System.Threading.Tasks;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
+using Shouldly;
+using Xunit;
+
+namespace Volo.Abp.AspNetCore.MultiTenancy;
+
+public class AspNetCoreMultiTenancy_MultiTenancyMiddlewareErrorPageBuilder_Tests : AspNetCoreMultiTenancyTestBase
+{
+    private readonly AbpAspNetCoreMultiTenancyOptions _options;
+
+    public AspNetCoreMultiTenancy_MultiTenancyMiddlewareErrorPageBuilder_Tests()
+    {
+        _options = ServiceProvider.GetRequiredService<IOptions<AbpAspNetCoreMultiTenancyOptions>>().Value;
+    }
+
+    [Fact]
+    public async Task MultiTenancyMiddlewareErrorPageBuilder()
+    {
+        var result = await GetResponseAsStringAsync($"http://abp.io?{_options.TenantKey}=<script>alert(hi)</script>", HttpStatusCode.NotFound);
+        result.ShouldNotContain("<script>alert(hi)</script>");
+    }
+}