Merge pull request #2129 from owncloud/don't-sanitize-error-message

Don't sanitize error message hint

2 files changed, 4 insertions, 3 deletions

diff --git a/core/templates/error.php b/core/templates/error.php
index 3305f3fba9c..ac91357b350 100644
--- a/core/templates/error.php
+++ b/core/templates/error.php
@@ -2,7 +2,7 @@
 	<?php foreach($_["errors"] as $error):?>
 		<li class='error'>
 			<?php p($error['error']) ?><br/>
-			<p class='hint'><?php if(isset($error['hint']))p($error['hint']) ?></p>
+			<p class='hint'><?php if(isset($error['hint']))print_unescaped($error['hint']) ?></p>
 		</li>
 	<?php endforeach ?>
 </ul>
diff --git a/lib/template.php b/lib/template.php
index 398f9de0655..434c1e9e990 100644
--- a/lib/template.php
+++ b/lib/template.php
@@ -519,12 +519,13 @@ class OC_Template{
 	/**
 		* @brief Print a fatal error page and terminates the script
 		* @param string $error The error message to show
-		* @param string $hint An option hint message
+		* @param string $hint An optional hint message 
+		* Warning: All data passed to $hint needs to get sanitized using OC_Util::sanitizeHTML
 		*/
 	public static function printErrorPage( $error_msg, $hint = '' ) {
 		$content = new OC_Template( '', 'error', 'error' );
 		$errors = array(array('error' => $error_msg, 'hint' => $hint));
-		$content->assign( 'errors', $errors, false );
+		$content->assign( 'errors', $errors );
 		$content->printPage();
 		die();
 	}