Bug 272620: avoid XSS problem with internal error messages. Patch by gerv; r=justdave...

diff --git a/Bugzilla/Error.pm b/Bugzilla/Error.pm
index 00a2675eb05c8f51e71f41a6435952544c2fb233..96017f368ff2e3c1dc23b1b6579219801cedd8ab 100644 (file)
--- a/Bugzilla/Error.pm
+++ b/Bugzilla/Error.pm
@@ -118,7 +118,10 @@ sub ThrowTemplateError {
             time this message appeared.
           </p>
           <script type="text/javascript"> <!--
-            document.write("<p>URL: " + document.location + "</p>");
+          document.write("<p>URL: " + 
+                          document.location.href.replace(/&/g,"&amp;")
+                                                .replace(/</g,"&lt;")
+                                                .replace(/>/g,"&gt;") + "</p>");
           // -->
           </script>
           <p>Template->process() failed twice.<br>

diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index 42172d900ab323fcfc32ec905ce5b8b2655589cf..5026d8314eda2b2c785e2551f25b2809958745a5 100644 (file)
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -256,7 +256,10 @@
     the time this message appeared.
   </p>
   <script type="text/javascript"> <!--
-    document.write("<p>URL: " + document.location + "</p>");
+    document.write("<p>URL: " + 
+                    document.location.href.replace(/&/g,"&amp;")
+                                          .replace(/</g,"&lt;")
+                                          .replace(/>/g,"&gt;") + "</p>");
   // -->
   </script>
 </tt>