From 57fce758f5bd116e1f603d6435fb341f2741ab16 Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Wed, 28 Nov 2018 22:16:14 +0100
Subject: [PATCH] Fix HTML injections (#2157)

Minz: Fix HTML injections
---
 app/views/error/index.phtml              | 2 +-
 lib/Minz/ActionException.php             | 4 +---
 lib/Minz/ControllerNotExistException.php | 4 +---
 3 files changed, 3 insertions(+), 7 deletions(-)

diff --git a/app/views/error/index.phtml b/app/views/error/index.phtml
index fe3abf8c4..8fd74e8bf 100644
--- a/app/views/error/index.phtml
+++ b/app/views/error/index.phtml
@@ -2,7 +2,7 @@
 	<div class="alert alert-error">
 		<h1 class="alert-head"><?php echo $this->code; ?></h1>
 		<p>
-			<?php echo $this->errorMessage; ?><br />
+			<?php echo htmlspecialchars($this->errorMessage, ENT_NOQUOTES, 'UTF-8'); ?><br />
 			<a href="<?php echo _url('index', 'index'); ?>"><?php echo _t('gen.action.back_to_rss_feeds'); ?></a>
 		</p>
 	</div>
diff --git a/lib/Minz/ActionException.php b/lib/Minz/ActionException.php
index f1f70c1bc..311f15086 100644
--- a/lib/Minz/ActionException.php
+++ b/lib/Minz/ActionException.php
@@ -1,9 +1,7 @@
 <?php
 class Minz_ActionException extends Minz_Exception {
 	public function __construct ($controller_name, $action_name, $code = self::ERROR) {
-		$message = '`' . $action_name . '` cannot be invoked on `'
-		         . $controller_name . '`';
-
+		$message = 'Invalid action name for controller ' . $controller_name;
 		parent::__construct ($message, $code);
 	}
 }
diff --git a/lib/Minz/ControllerNotExistException.php b/lib/Minz/ControllerNotExistException.php
index 24a09a635..dcdaa94d1 100644
--- a/lib/Minz/ControllerNotExistException.php
+++ b/lib/Minz/ControllerNotExistException.php
@@ -1,9 +1,7 @@
 <?php
 class Minz_ControllerNotExistException extends Minz_Exception {
 	public function __construct ($controller_name, $code = self::ERROR) {
-		$message = 'Controller `' . $controller_name
-		         . '` doesn\'t exist';
-
+		$message = 'Controller not found!';
 		parent::__construct ($message, $code);
 	}
 }