Bug 272620: avoid XSS problem with internal error messages. Patch by gerv; r=justdave; a=justdave.

2 files changed, 8 insertions, 2 deletions

diff --git a/Bugzilla/Error.pm b/Bugzilla/Error.pm
index 00a2675eb..96017f368 100644
--- a/Bugzilla/Error.pm
+++ b/Bugzilla/Error.pm
@@ -118,7 +118,10 @@ sub ThrowTemplateError {
             time this message appeared.
           </p>
           <script type="text/javascript"> <!--
-            document.write("<p>URL: " + document.location + "</p>");
+          document.write("<p>URL: " + 
+                          document.location.href.replace(/&/g,"&amp;")
+                                                .replace(/</g,"&lt;")
+                                                .replace(/>/g,"&gt;") + "</p>");
           // -->
           </script>
           <p>Template->process() failed twice.<br>
diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index 42172d900..5026d8314 100644
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -256,7 +256,10 @@
     the time this message appeared.
   </p>
   <script type="text/javascript"> <!--
-    document.write("<p>URL: " + document.location + "</p>");
+    document.write("<p>URL: " + 
+                    document.location.href.replace(/&/g,"&amp;")
+                                          .replace(/</g,"&lt;")
+                                          .replace(/>/g,"&gt;") + "</p>");
   // -->
   </script>
 </tt>