GitTimeraider · GitTimeraider · Oct 6, 2025 · Oct 6, 2025 · Oct 6, 2025 · Oct 6, 2025
diff --git a/app/directadmin_api.py b/app/directadmin_api.py
@@ -280,8 +280,10 @@ def validate_domain_access(self):
             return False, "Unable to verify domain access"
 
         except Exception as e:
+            import traceback
             print(f"Error validating domain access: {e}")
-            return False, f"Error validating domain: {str(e)}"
+            traceback.print_exc()
+            return False, "An internal error occurred while validating domain access."
 
     def get_email_accounts(self):
         """Get all email accounts for the domain"""

diff --git a/app/main.py b/app/main.py
@@ -118,8 +118,10 @@ def get_migration_status():
             })
 
         except Exception as e:
+            print(f"Error in /api/migration-status: {str(e)}")
+            traceback.print_exc()
             return jsonify({
-                'error': f'Migration status check failed: {str(e)}',
+                'error': 'An internal error occurred while checking migration status.',
                 'success': False
             }), 500
 

diff --git a/app/settings.py b/app/settings.py
@@ -139,21 +139,21 @@ def test_connection():
         return jsonify(result)
 
     except Exception as e:
-        error_msg = str(e)
-        print(f"Test connection error: {error_msg}")
+        print(f"Test connection error: {str(e)}")
         print(traceback.format_exc())
 
-        # Provide more specific error messages
-        if 'timeout' in error_msg.lower():
-            error_msg = 'Connection timed out. Please check your DirectAdmin server URL and network connection.'
-        elif 'connection' in error_msg.lower():
-            error_msg = 'Unable to connect to DirectAdmin server. Please verify the server URL is correct.'
-        elif 'ssl' in error_msg.lower() or 'certificate' in error_msg.lower():
-            error_msg = 'SSL certificate error. Try using HTTP instead of HTTPS, or check your certificate configuration.'
+        # Provide more specific error messages to the user, do not return exception messages
+        user_error_msg = None
+        error_str = str(e).lower()
+        if 'timeout' in error_str:
+            user_error_msg = 'Connection timed out. Please check your DirectAdmin server URL and network connection.'
+        elif 'connection' in error_str:
+            user_error_msg = 'Unable to connect to DirectAdmin server. Please verify the server URL is correct.'
+        elif 'ssl' in error_str or 'certificate' in error_str:
+            user_error_msg = 'SSL certificate error. Try using HTTP instead of HTTPS, or check your certificate configuration.'
         else:
-            error_msg = f'Connection test failed: {error_msg}'
-
-        return jsonify({'error': error_msg, 'success': False}), 200
+            user_error_msg = 'Connection test failed. Please contact support or try again later.'
+        return jsonify({'error': user_error_msg, 'success': False}), 200
 
 @settings_bp.route('/api/domains', methods=['GET'])
 @login_required

diff --git a/requirements.txt b/requirements.txt
@@ -7,4 +7,4 @@ pyotp==2.9.0
 qrcode==8.2
 pillow==11.3.0
 requests==2.32.5
-cryptography==46.0.1
+cryptography==46.0.2
diff --git a/static/dashboard.js b/static/dashboard.js
@@ -4,6 +4,16 @@ let emailAccounts = [];
 let availableDomains = [];
 let selectedDomain = null;
 
+// Escape a string for HTML insertion (prevents XSS)
+function escapeHTML(str) {
+    return String(str)
+        .replace(/&/g, "&amp;")
+        .replace(/</g, "&lt;")
+        .replace(/>/g, "&gt;")
+        .replace(/"/g, "&quot;")
+        .replace(/'/g, "&#39;");
+}
+
 // Helper function to validate destinations (including special ones)
 function isValidDestination(destination) {
     // Allow special destinations
@@ -228,9 +238,9 @@ async function loadForwarders() {
         console.error('Error loading forwarders:', error);
 
         if (error.response && error.response.status === 403) {
-            tbody.innerHTML = '<tr><td colspan="3" class="error-message">Domain access denied: ' + selectedDomain + ' may not be configured in your DirectAdmin account.</td></tr>';
+            tbody.innerHTML = '<tr><td colspan="3" class="error-message">Domain access denied: ' + escapeHTML(selectedDomain) + ' may not be configured in your DirectAdmin account.</td></tr>';
         } else {
-            tbody.innerHTML = '<tr><td colspan="3" class="error-message">Failed to load forwarders for ' + selectedDomain + '. Please check your DirectAdmin settings.</td></tr>';
+            tbody.innerHTML = '<tr><td colspan="3" class="error-message">Failed to load forwarders for ' + escapeHTML(selectedDomain) + '. Please check your DirectAdmin settings.</td></tr>';
         }
     }
 }