diff --git a/app/settings.py b/app/settings.py
index c3c23b3..291f7d3 100644
--- a/app/settings.py
+++ b/app/settings.py
@@ -139,21 +139,21 @@ def test_connection():
return jsonify(result)
except Exception as e:
- error_msg = str(e)
- print(f"Test connection error: {error_msg}")
+ print(f"Test connection error: {str(e)}")
print(traceback.format_exc())
- # Provide more specific error messages
- if 'timeout' in error_msg.lower():
- error_msg = 'Connection timed out. Please check your DirectAdmin server URL and network connection.'
- elif 'connection' in error_msg.lower():
- error_msg = 'Unable to connect to DirectAdmin server. Please verify the server URL is correct.'
- elif 'ssl' in error_msg.lower() or 'certificate' in error_msg.lower():
- error_msg = 'SSL certificate error. Try using HTTP instead of HTTPS, or check your certificate configuration.'
+ # Provide more specific error messages to the user, do not return exception messages
+ user_error_msg = None
+ error_str = str(e).lower()
+ if 'timeout' in error_str:
+ user_error_msg = 'Connection timed out. Please check your DirectAdmin server URL and network connection.'
+ elif 'connection' in error_str:
+ user_error_msg = 'Unable to connect to DirectAdmin server. Please verify the server URL is correct.'
+ elif 'ssl' in error_str or 'certificate' in error_str:
+ user_error_msg = 'SSL certificate error. Try using HTTP instead of HTTPS, or check your certificate configuration.'
else:
- error_msg = f'Connection test failed: {error_msg}'
-
- return jsonify({'error': error_msg, 'success': False}), 200
+ user_error_msg = 'Connection test failed. Please contact support or try again later.'
+ return jsonify({'error': user_error_msg, 'success': False}), 200
@settings_bp.route('/api/domains', methods=['GET'])
@login_required
diff --git a/requirements.txt b/requirements.txt
index 691bca1..a39a3e8 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -7,4 +7,4 @@ pyotp==2.9.0
qrcode==8.2
pillow==11.3.0
requests==2.32.5
-cryptography==46.0.1
\ No newline at end of file
+cryptography==46.0.2
\ No newline at end of file
diff --git a/static/dashboard.js b/static/dashboard.js
index 1eabe68..9e38f09 100644
--- a/static/dashboard.js
+++ b/static/dashboard.js
@@ -4,6 +4,16 @@ let emailAccounts = [];
let availableDomains = [];
let selectedDomain = null;
+// Escape a string for HTML insertion (prevents XSS)
+function escapeHTML(str) {
+ return String(str)
+ .replace(/&/g, "&")
+ .replace(//g, ">")
+ .replace(/"/g, """)
+ .replace(/'/g, "'");
+}
+
// Helper function to validate destinations (including special ones)
function isValidDestination(destination) {
// Allow special destinations
@@ -228,9 +238,9 @@ async function loadForwarders() {
console.error('Error loading forwarders:', error);
if (error.response && error.response.status === 403) {
- tbody.innerHTML = '| Domain access denied: ' + selectedDomain + ' may not be configured in your DirectAdmin account. |
';
+ tbody.innerHTML = '| Domain access denied: ' + escapeHTML(selectedDomain) + ' may not be configured in your DirectAdmin account. |
';
} else {
- tbody.innerHTML = '| Failed to load forwarders for ' + selectedDomain + '. Please check your DirectAdmin settings. |
';
+ tbody.innerHTML = '| Failed to load forwarders for ' + escapeHTML(selectedDomain) + '. Please check your DirectAdmin settings. |
';
}
}
}