Bug 272620: avoid XSS problem with internal error messages. Patch by gerv; r=justdave; a=justdave.

author: gerv%gerv.net <> 2005-01-04 05:54:57 +0100
committer: gerv%gerv.net <> 2005-01-04 05:54:57 +0100
commit: ed09207ecef601b38bff1392ef5e1726e8fc44c5 (patch)
tree: d6230a128409035ee8dc2bd58c4aad41bb4c0aa9 /Bugzilla/Error.pm
parent: a90c06d0075eb8a0a9b57a8b80ba3c26f6136643 (diff)
download: bugzilla-ed09207ecef601b38bff1392ef5e1726e8fc44c5.tar.gz
bugzilla-ed09207ecef601b38bff1392ef5e1726e8fc44c5.tar.xz
1 files changed, 4 insertions, 1 deletions
diff --git a/Bugzilla/Error.pm b/Bugzilla/Error.pm
index 00a2675eb..96017f368 100644
--- a/Bugzilla/Error.pm
+++ b/Bugzilla/Error.pm
@@ -118,7 +118,10 @@ sub ThrowTemplateError {
             time this message appeared.
           </p>
           <script type="text/javascript"> <!--
-            document.write("<p>URL: " + document.location + "</p>");
+          document.write("<p>URL: " + 
+                          document.location.href.replace(/&/g,"&amp;")
+                                                .replace(/</g,"&lt;")
+                                                .replace(/>/g,"&gt;") + "</p>");
           // -->
           </script>
           <p>Template->process() failed twice.<br>
author	gerv%gerv.net <>	2005-01-04 05:54:57 +0100
committer	gerv%gerv.net <>	2005-01-04 05:54:57 +0100
commit	ed09207ecef601b38bff1392ef5e1726e8fc44c5 (patch)
tree	d6230a128409035ee8dc2bd58c4aad41bb4c0aa9 /Bugzilla/Error.pm
parent	a90c06d0075eb8a0a9b57a8b80ba3c26f6136643 (diff)
download	bugzilla-ed09207ecef601b38bff1392ef5e1726e8fc44c5.tar.gz bugzilla-ed09207ecef601b38bff1392ef5e1726e8fc44c5.tar.xz