fix: suppress internal error details from users in production mode

In production mode (NODE_ENV=production), the client-side error handler
now shows a generic "reload the page" message with just the ErrorId
instead of leaking internal details like error messages, file paths,
line numbers, stack traces, and user agent strings.

In development mode, the full error details are still shown for
debugging.

The basic_error_handler (pre-initialization errors) now always shows a
generic message and logs details to the console instead of displaying
them in the DOM.

The server-side jserror endpoint still receives full error details for
server-side logging — only the user-facing display is suppressed.

Fixes: #5765

Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>

Author: JohnMcLear

src/static/js/basic_error_handler.ts

@@ -23,24 +23,15 @@
     box.textContent = '';
     const summary = document.createElement('p');
     box.appendChild(summary);
-    summary.appendChild(document.createTextNode('An error occurred while loading the page:'));
-    const msgBlock = document.createElement('blockquote');
-    box.appendChild(msgBlock);
-    msgBlock.style.fontWeight = 'bold';
-    msgBlock.appendChild(document.createTextNode(msg));
-    const loc = document.createElement('p');
-    box.appendChild(loc);
-    loc.appendChild(document.createTextNode(`in ${url}`));
-    loc.appendChild(document.createElement('br'));
-    loc.appendChild(document.createTextNode(`at line ${line}:${col}`));
-    const stackSummary = document.createElement('p');
-    box.appendChild(stackSummary);
-    stackSummary.appendChild(document.createTextNode('Stack trace:'));
-    const stackBlock = document.createElement('blockquote');
-    box.appendChild(stackBlock);
-    const stack = document.createElement('pre');
-    stackBlock.appendChild(stack);
-    stack.appendChild(document.createTextNode(err.stack || err.toString()));
+    summary.appendChild(document.createTextNode('An error occurred while loading the page.'));
+    const reload = document.createElement('p');
+    box.appendChild(reload);
+    reload.appendChild(document.createTextNode(
+      'Please press Ctrl+F5 to reload. If the problem persists, contact your webmaster.'));
+
+    // Log the error details to the console for debugging, but don't show them to the user.
+    // See https://github.com/ether/etherpad-lite/issues/5765
+    console.error('Page load error:', msg, `\n  at ${url}:${line}:${col}`, err?.stack || err);
 
     if (typeof originalHandler === 'function') originalHandler(...args);
   };

src/static/js/pad_utils.ts

@@ -425,20 +425,36 @@ class PadUtils {
         });
 
         if (!msgAlreadyVisible) {
-          const txt = document.createTextNode.bind(document); // Convenience shorthand.
-          const errorMsg = [
-            $('<p>')
-              .append($('<b>').text('Please press and hold Ctrl and press F5 to reload this page')),
-            $('<p>')
-              .text('If the problem persists, please send this error message to your webmaster:'),
-            $('<div>').css('text-align', 'left').css('font-size', '.8em').css('margin-top', '1em')
-              .append($('<b>').addClass('error-msg').text(msg)).append($('<br>'))
-              .append(txt(`at ${url} at line ${linenumber}`)).append($('<br>'))
-              .append(txt(`ErrorId: ${errorId}`)).append($('<br>'))
-              .append(txt(type)).append($('<br>'))
-              .append(txt(`URL: ${window.location.href}`)).append($('<br>'))
-              .append(txt(`UserAgent: ${navigator.userAgent}`)).append($('<br>')),
-          ];
+          // In production mode, hide internal error details (file paths, line numbers,
+          // error messages) from end users. Only show a generic reload message.
+          // See https://github.com/ether/etherpad-lite/issues/5765
+          const isProduction = (window as any).clientVars?.mode === 'production';
+
+          const errorMsg = isProduction
+            ? [
+              $('<p>')
+                .append($('<b>').text('Please press and hold Ctrl and press F5 to reload this page')),
+              $('<p>')
+                .text('If the problem persists, please contact your webmaster.')
+                .append($('<br>'))
+                .append($('<span>').css('font-size', '.8em').text(`ErrorId: ${errorId}`)),
+            ]
+            : (() => {
+              const txt = document.createTextNode.bind(document);
+              return [
+                $('<p>')
+                  .append($('<b>').text('Please press and hold Ctrl and press F5 to reload this page')),
+                $('<p>')
+                  .text('If the problem persists, please send this error message to your webmaster:'),
+                $('<div>').css('text-align', 'left').css('font-size', '.8em').css('margin-top', '1em')
+                  .append($('<b>').addClass('error-msg').text(msg)).append($('<br>'))
+                  .append(txt(`at ${url} at line ${linenumber}`)).append($('<br>'))
+                  .append(txt(`ErrorId: ${errorId}`)).append($('<br>'))
+                  .append(txt(type)).append($('<br>'))
+                  .append(txt(`URL: ${window.location.href}`)).append($('<br>'))
+                  .append(txt(`UserAgent: ${navigator.userAgent}`)).append($('<br>')),
+              ];
+            })();
 
           // @ts-ignore
           $.gritter.add({