From e88a0be49c2050be9ef75ce1f7ceb098f57ccb4f Mon Sep 17 00:00:00 2001
From: matthew <matthew>
Date: Mon, 26 Jan 2009 14:22:54 +0000
Subject: Catch all errors, escape HTML (thanks to Petter Reinholdtsen).

---
 perllib/Page.pm | 38 ++++++++++++++++++++++----------------
 1 file changed, 22 insertions(+), 16 deletions(-)

(limited to 'perllib/Page.pm')

diff --git a/perllib/Page.pm b/perllib/Page.pm
index 9771d4d36..47388b25b 100644
--- a/perllib/Page.pm
+++ b/perllib/Page.pm
@@ -6,7 +6,7 @@
 # Copyright (c) 2006 UK Citizens Online Democracy. All rights reserved.
 # Email: matthew@mysociety.org; WWW: http://www.mysociety.org/
 #
-# $Id: Page.pm,v 1.135 2009-01-20 14:58:05 matthew Exp $
+# $Id: Page.pm,v 1.136 2009-01-26 14:22:54 matthew Exp $
 #
 
 package Page;
@@ -59,26 +59,32 @@ sub do_fastcgi {
             $W->exit_if_changed();
         }
     } catch Error::Simple with {
-        my $E = shift;
-        my $msg = sprintf('%s:%d: %s', $E->file(), $E->line(), $E->text());
-        warn "caught fatal exception: $msg";
-        warn "aborting";
-        ent($msg);
-        my $contact_email = mySociety::Config::get('CONTACT_EMAIL');
-        print "Status: 500\nContent-Type: text/html; charset=iso-8859-1\n\n",
-                q(<html><head><title>Sorry! Something's gone wrong.</title></head></html>),
-                q(<body>),
-                q(<h1>Sorry! Something's gone wrong.</h1>),
-                qq(<p>Please try again later, or <a href="mailto:$contact_email">email us</a> to let us know.</p>),
-                q(<hr>),
-                q(<p>The text of the error was:</p>),
-                qq(<blockquote class="errortext">$msg</blockquote>),
-                q(</body></html>);
+        report_error(@_);
+    } catch Error with {
+        report_error(@_);
     };
     dbh()->rollback() if $mySociety::DBHandle::conf_ok;
     exit(0);
 }
 
+sub report_error {
+    my $E = shift;
+    my $msg = sprintf('%s:%d: %s', $E->file(), $E->line(), CGI::escapeHTML($E->text()));
+    warn "caught fatal exception: $msg";
+    warn "aborting";
+    ent($msg);
+    my $contact_email = mySociety::Config::get('CONTACT_EMAIL');
+    print "Status: 500\nContent-Type: text/html; charset=iso-8859-1\n\n",
+            q(<html><head><title>Sorry! Something's gone wrong.</title></head></html>),
+            q(<body>),
+            q(<h1>Sorry! Something's gone wrong.</h1>),
+            qq(<p>Please try again later, or <a href="mailto:$contact_email">email us</a> to let us know.</p>),
+            q(<hr>),
+            q(<p>The text of the error was:</p>),
+            qq(<blockquote class="errortext">$msg</blockquote>),
+            q(</body></html>);
+}
+
 =item microsite Q
 
 Work out what site we're on, template appropriately
-- 
cgit v1.2.3