Bug 272620: avoid XSS problem with internal error messages. Patch by gerv; r=justdave...

diff --git a/Bugzilla/Error.pm b/Bugzilla/Error.pm
index e511a575c6214f47b12029185a981a132129afb5..23e7deee9a4d3e93fe4e670423734cb53fcdd741 100644 (file)
--- a/Bugzilla/Error.pm
+++ b/Bugzilla/Error.pm
@@ -79,7 +79,10 @@ sub ThrowTemplateError {
             time this message appeared.
           </p>
           <script type="text/javascript"> <!--
-            document.write("<p>URL: " + document.location + "</p>");
+          document.write("<p>URL: " + 
+                          document.location.href.replace(/&/g,"&amp;")
+                                                .replace(/</g,"&lt;")
+                                                .replace(/>/g,"&gt;") + "</p>");
           // -->
           </script>
           <p>Template->process() failed twice.<br>

diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index cbca4f1d14cca36019449445ff108e4f9fcd9717..91acc8f064ecc91149f6c549673b10941ac810ee 100644 (file)
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -251,7 +251,10 @@
     the time this message appeared.
   </p>
   <script type="text/javascript"> <!--
-    document.write("<p>URL: " + document.location + "</p>");
+    document.write("<p>URL: " + 
+                    document.location.href.replace(/&/g,"&amp;")
+                                          .replace(/</g,"&lt;")
+                                          .replace(/>/g,"&gt;") + "</p>");
   // -->
   </script>
 </tt>