Merge pull request #2485 from drgrice1/bugfix/cross-site-scripting-vu…

…lnerabilities

Fix some cross-site scripting vulnerabilities.

lib/WeBWorK/ContentGenerator/Options.pm

@@ -62,7 +62,10 @@ sub initialize ($c) {
 						eval { $db->addPassword($effectiveUserPassword) };
 						$password = $password // $effectiveUserPassword;
 						if ($@) {
-							$c->addbadmessage($c->maketext("Couldn't change [_1]'s password: [_2]", $e_user_name, $@));
+							$c->log->error("Error changing ${e_user_name}'s password: $@");
+							$c->addbadmessage($c->maketext(
+								"[_1]'s password was not changed due to an internal error.", $e_user_name
+							));
 						} else {
 							$c->addgoodmessage($c->maketext("[_1]'s password has been changed.", $e_user_name));
 						}
@@ -71,7 +74,10 @@ sub initialize ($c) {
 						eval { $db->putPassword($effectiveUserPassword) };
 						$password = $password // $effectiveUserPassword;
 						if ($@) {
-							$c->addbadmessage($c->maketext("Couldn't change [_1]'s password: [_2]", $e_user_name, $@));
+							$c->log->error("Error changing ${e_user_name}'s password: $@");
+							$c->addbadmessage($c->maketext(
+								"[_1]'s password was not changed due to an internal error.", $e_user_name
+							));
 						} else {
 							$c->addgoodmessage($c->maketext("[_1]'s password has been changed.", $e_user_name));
 						}
@@ -106,8 +112,11 @@ sub initialize ($c) {
 		eval { $db->putUser($c->{effectiveUser}) };
 		if ($@) {
 			$c->{effectiveUser}->email_address($oldA);
-			$c->addbadmessage($c->maketext("Couldn't change your email address: [_1]", $@));
+			$c->log->error("Unable to save new email address for $userID: $@");
+			$c->addbadmessage($c->maketext('Your email address has not been changed due to an internal error.'));
 		} else {
+			$c->param('currAddress', $c->param('newAddress'));
+			$c->param('newAddress',  undef);
 			$c->addgoodmessage($c->maketext('Your email address has been changed.'));
 		}
 	}
@@ -127,7 +136,8 @@ sub initialize ($c) {
 
 			eval { $db->putUser($c->{effectiveUser}) };
 			if ($@) {
-				$c->addbadmessage($c->maketext("Couldn't save your display options: [_1]", $@));
+				$c->log->error("Unable to save display options for $userID: $@");
+				$c->addbadmessage($c->maketext('Your display options were not saved due to an internal error.'));
 			} else {
 				$c->addgoodmessage($c->maketext('Your display options have been saved.'));
 			}

lib/WeBWorK/Utils/Routes.pm

@@ -573,13 +573,14 @@ sub setup_content_generator_routes_recursive {
 	my $action = $routeParameters{$child}{action} // 'go';
 
 	if ($routeParameters{$child}{children}) {
-		my $child_route = $route->under($routeParameters{$child}{path})->name($child);
+		my $child_route = $route->under($routeParameters{$child}{path}, [ problemID => qr/\d+/ ])->name($child);
 		$child_route->any('/')->to("$routeParameters{$child}{module}#$action")->name($child);
 		for (@{ $routeParameters{$child}{children} }) {
 			setup_content_generator_routes_recursive($child_route, $_);
 		}
 	} else {
-		$route->any($routeParameters{$child}{path})->to("$routeParameters{$child}{module}#$action")->name($child);
+		$route->any($routeParameters{$child}{path}, [ problemID => qr/\d+/ ])
+			->to("$routeParameters{$child}{module}#$action")->name($child);
 	}
 
 	return;

templates/ContentGenerator/GatewayQuiz.html.ep

@@ -74,7 +74,7 @@
 				$setID, $effectiveUserID, $c->{invalidVersionCreation} ? " (acted as by $userID)" : ''
 			) =%>
 		</div>
-		<div><%== $c->{invalidSet} %></div>
+		<div><%= $c->{invalidSet} %></div>
 		% if ($c->{invalidVersionCreation} && $c->{invalidVersionCreation} == 1) {
 			<p>
 				<%= link_to 'Create new set version.' => $c->systemLink(

templates/ContentGenerator/ProblemSet.html.ep

@@ -13,7 +13,7 @@
 				stash('setID'), param('effectiveUser')
 			) =%>
 		</p>
-		<p class="mb-0"><%== $c->{invalidSet} %></p>
+		<p class="mb-0"><%= $c->{invalidSet} %></p>
 	</div>
 	% last;
 % }