From 59acd8e3ba9d2c2833fb0cfaf968bf4b4a68f6c9 Mon Sep 17 00:00:00 2001
From: Dan Garner <dan@xibosignage.com>
Date: Fri, 29 Nov 2024 12:55:36 +0000
Subject: [PATCH] Errors: sanitize output  fixes xibosignage/xibo#3554

---
 lib/Factory/MediaFactory.php | 4 ++--
 lib/Middleware/Handlers.php  | 6 +++---
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/lib/Factory/MediaFactory.php b/lib/Factory/MediaFactory.php
index 98fbf769e2..758696fecf 100644
--- a/lib/Factory/MediaFactory.php
+++ b/lib/Factory/MediaFactory.php
@@ -1,6 +1,6 @@
 <?php
 /*
- * Copyright (C) 2023 Xibo Signage Ltd
+ * Copyright (C) 2024 Xibo Signage Ltd
  *
  * Xibo - Digital Signage - https://xibosignage.com
  *
@@ -183,7 +183,7 @@ public function queueDownload($name, $uri, $expiry, $requestOptions = [])
             $media->enableStat = $requestOptions['enableStat'];
             $media->folderId = $requestOptions['folderId'];
             $media->permissionsFolderId = $requestOptions['permissionsFolderId'];
-            $media->apiRef = $requestOptions['apiRef'];
+            $media->apiRef = $requestOptions['apiRef'] ?? null;
         }
 
         $this->getLog()->debug('Queue download of: ' . $uri . ', current mediaId for this download is '
diff --git a/lib/Middleware/Handlers.php b/lib/Middleware/Handlers.php
index 82b3e0309a..93ea142c1d 100644
--- a/lib/Middleware/Handlers.php
+++ b/lib/Middleware/Handlers.php
@@ -1,8 +1,8 @@
 <?php
 /*
- * Copyright (C) 2023 Xibo Signage Ltd
+ * Copyright (C) 2024 Xibo Signage Ltd
  *
- * Xibo - Digital Signage - http://www.xibo.org.uk
+ * Xibo - Digital Signage - https://xibosignage.com
  *
  * This file is part of Xibo.
  *
@@ -151,7 +151,7 @@ public static function webErrorHandler($container)
             } else {
                 // Make a friendly message
                 if ($displayErrorDetails || $exception instanceof GeneralException) {
-                    $message = $exception->getMessage();
+                    $message = htmlspecialchars($exception->getMessage());
                 } else {
                     $message = __('Unexpected Error, please contact support.');
                 }