fix: sanitize statusMessage of disallowed chars (#1057)

src/dev/error.ts

@@ -1,9 +1,9 @@
+import { setResponseStatus } from "h3";
 import { NitroErrorHandler } from "../types";
 
 function errorHandler(error, event) {
   event.node.res.setHeader("Content-Type", "text/html; charset=UTF-8");
-  event.node.res.statusCode = 503;
-  event.node.res.statusMessage = "Server Unavailable";
+  setResponseStatus(event, 503, "Server Unavailable");
 
   let body;
   let title;

src/runtime/error.ts

@@ -1,4 +1,5 @@
 // import ansiHTML from 'ansi-html'
+import { setResponseStatus } from "h3";
 import type { NitroErrorHandler } from "../types";
 import { normalizeError, isJsonRequest } from "./utils";
 
@@ -41,10 +42,7 @@ export default <NitroErrorHandler>function (error, event) {
     );
   }
 
-  event.node.res.statusCode = statusCode;
-  if (statusMessage) {
-    event.node.res.statusMessage = statusMessage;
-  }
+  setResponseStatus(event, statusCode, statusMessage);
 
   if (isJsonRequest(event)) {
     event.node.res.setHeader("Content-Type", "application/json");

src/runtime/renderer.ts

@@ -1,4 +1,4 @@
-import { H3Event, eventHandler } from "h3";
+import { H3Event, eventHandler, setResponseStatus } from "h3";
 import { useNitroApp } from "./app";
 
 export interface RenderResponse {
@@ -48,12 +48,7 @@ export function defineRenderHandler(handler: RenderHandler) {
       for (const header in response.headers) {
         event.node.res.setHeader(header, response.headers[header]);
       }
-      if (response.statusCode) {
-        event.node.res.statusCode = response.statusCode;
-      }
-      if (response.statusMessage) {
-        event.node.res.statusMessage = response.statusMessage;
-      }
+      setResponseStatus(event, response.statusCode, response.statusMessage);
     }
 
     // Send response body