Bug 272620: avoid XSS problem with internal error messages. Patch by wurblzap@gmail...

diff --git a/CGI.pl b/CGI.pl
index dd48110426e5a0f57d0d51fa570819fe6c9d9a8a..5326e129d70cca05befb5cd75a5b0cc75d873c11 100644 (file)
--- a/CGI.pl
+++ b/CGI.pl
@@ -965,7 +965,11 @@ sub ThrowTemplateError {
             time this message appeared.
           </p>
           <script> <!--
-            document.write("<p>URL: " + document.location + "</p>");
+            document.write("<p>URL: " +
+                           document.location.href.replace(/&/g, "&amp;")
+                                                 .replace(/</g, "&lt;")
+                                                 .replace(/>/g, "&gt;") +
+                           "</p>");
           // -->
           </script>
           <p>Template->process() failed twice.<br>

diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index cab4f44b8a6fe586819794e5a51a56b56a2b4e9e..5274be5fc4dd4e88d416dddcf9456f7781f5874a 100644 (file)
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -37,7 +37,11 @@
     the time this message appeared.
   </p>
   <script> <!--
-    document.write("<p>URL: " + document.location + "</p>");
+    document.write("<p>URL: " +
+                   document.location.href.replace(/&/g, "&amp;")
+                                         .replace(/</g, "&lt;")
+                                         .replace(/>/g, "&gt;") +
+                   "</p>");
   // -->
   </script>
 </tt>