From 791871433645f02fead81390e4dc006fffecbb72 Mon Sep 17 00:00:00 2001
From: Edoardo Spadolini <edoardo.spadolini@goteleport.com>
Date: Mon, 4 May 2026 12:45:18 +0200
Subject: [PATCH] Make html escaping in DebugReports more exhaustive

---
 trace.go      | 6 +++++-
 trace_test.go | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/trace.go b/trace.go
index 1e0a45f..b07cfa0 100644
--- a/trace.go
+++ b/trace.go
@@ -557,12 +557,16 @@ func wrapProxy(err error) Error {
 	}
 }
 
+// htmlEscaper matches the escaping done in [html/template] for text and quoted
+// attributes, which is slightly more than what [html.EscapeString] does.
 var htmlEscaper = strings.NewReplacer(
+	"\x00", "\uFFFD",
+	`"`, "&#34;", // "&#34;" is shorter than "&quot;".
 	`&`, "&amp;",
 	`'`, "&#39;", // "&#39;" is shorter than "&apos;" and apos was not in HTML until HTML5.
+	`+`, "&#43;",
 	`<`, "&lt;",
 	`>`, "&gt;",
-	`"`, "&#34;", // "&#34;" is shorter than "&quot;".
 )
 
 // DebugReport formats the underlying error for display
diff --git a/trace_test.go b/trace_test.go
index eed9ffe..a23a6c2 100644
--- a/trace_test.go
+++ b/trace_test.go
@@ -195,7 +195,7 @@ func TestProxyErrorDebugReport(t *testing.T) {
 			err: proxyError{
 				TraceErr: &TraceErr{
 					Err: &TraceErr{
-						Err:      &BadParameterError{Message: `a < b & c > d "e"`},
+						Err:      &BadParameterError{Message: `a < b & c > d "e" + '` + "\x00" + `'`},
 						Traces:   innerTraces,
 						Fields:   map[string]interface{}{"k<ey": "v<al&ue>"},
 						Messages: []string{`<script>alert("xss")</script>`},
@@ -258,7 +258,7 @@ func TestTraceErrDebugReport(t *testing.T) {
 		{
 			name: "html special characters",
 			err: &TraceErr{
-				Err:      &BadParameterError{Message: `a < b & c > d "e"`},
+				Err:      &BadParameterError{Message: `a < b & c > d "e" + '` + "\x00" + `'`},
 				Traces:   traces,
 				Fields:   map[string]interface{}{"k<ey": "v<al&ue>"},
 				Messages: []string{`<script>alert("xss")</script>`},