Summary

Issue:
------------
"charset=utf-8" definition is missing in \templates\system\error.php

I'm not an expert, but this could bring a risk of reflected XSS on the "Home Page" link of the error page.


Solution:
-------------
Insert following line right after <head>:
<meta http-equiv="content-type" content="text/html; charset=utf-8" />


Additional fix:
------------------
While at at, also fix XHTML validation issue with <ul> being inside <p>. ( List elements (in particular, ol and ul elements) cannot be children of p elements - see http://www.whatwg.org/specs/web-apps/current-work/multipage/grouping-content.html#the-p-element ) I.e. remove <p> line before <ul> and the </p> line after </ul>.


Here is the complete patch:
----------------------------
@@ -21,2 +21,3 @@
<head>
+ <meta http-equiv="content-type" content="text/html; charset=utf-8" />
<title><?php echo $this->error->code ?> - <?php echo $this->title; ?></title>

@@ -43,3 +44,2 @@
<p><strong><?php echo JText::_('Please try one of the following pages:'); ?></strong></p>
- <p>
<ul>

@@ -47,3 +47,2 @@
</ul>
- </p>
<p><?php echo JText::_('If difficulties persist, please contact the system administrator of this site.'); ?></p>
-----------------------------


Test after fix:
-----------------
Validate the error page HTML code (e.g. open a non-existing URL of your website to get a "404 Page not found" error) on http://validator.w3.org/. Either by providing a link to the page to the validator, if on a public server, or by pasting the page HTML source code copied from a browser. Make sure there are neither validation errors nor warnings.
Note: If validating using a link, the "Validate error pages" checkbox under "More Options" of the validator will need to be activated.


The missing charset definition issue affects current Joomla versions too. I'm going to submit a separate bug report for them and post it here later.
Opened On:
10 Aug 2013, 19:47 by Jonny Roger
Status:
Open

Filed Under

  • Administrator

Responses

Posted on 10 Aug 2013, 20:12 by Jonny Roger
Submitted following bug report for the currently supported versions of Joomla: http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=31724
Posted on 17 Aug 2013, 11:46 by Jonny Roger

P.S.: To prevent a possible mis-alignment with the site-globally configured character encoding, the following line above:
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
could be replaced with the following line:
<meta http-equiv="content-type" content="text/html; charset=<?php echo $this->getCharset(); ?>" />
That would use the character encoding of the site, instead of hard-coding it to "utf-8". Although it is advisable to have the character encoding of the site set to "utf-8" (which is Joomla default, i.e. don't change it in the first place), as described in http://zaynar.co.uk/docs/charset-encoding-xss.html.
Posted on 8 Sep 2013, 12:57 by Jonny Roger

Also, as additional hardening, following on lines 37 and 54:

  echo $this->error->message

should be changed to:

  echo htmlspecialchars($this->error->message, ENT_QUOTES, 'UTF-8')