summaryrefslogtreecommitdiffstats
path: root/template/en/default
diff options
context:
space:
mode:
authorgerv%gerv.net <>2005-01-04 05:54:57 +0100
committergerv%gerv.net <>2005-01-04 05:54:57 +0100
commited09207ecef601b38bff1392ef5e1726e8fc44c5 (patch)
treed6230a128409035ee8dc2bd58c4aad41bb4c0aa9 /template/en/default
parenta90c06d0075eb8a0a9b57a8b80ba3c26f6136643 (diff)
downloadbugzilla-ed09207ecef601b38bff1392ef5e1726e8fc44c5.tar.gz
bugzilla-ed09207ecef601b38bff1392ef5e1726e8fc44c5.tar.xz
Bug 272620: avoid XSS problem with internal error messages. Patch by gerv; r=justdave; a=justdave.
Diffstat (limited to 'template/en/default')
-rw-r--r--template/en/default/global/code-error.html.tmpl5
1 files changed, 4 insertions, 1 deletions
diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index 42172d900..5026d8314 100644
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -256,7 +256,10 @@
the time this message appeared.
</p>
<script type="text/javascript"> <!--
- document.write("<p>URL: " + document.location + "</p>");
+ document.write("<p>URL: " +
+ document.location.href.replace(/&/g,"&amp;")
+ .replace(/</g,"&lt;")
+ .replace(/>/g,"&gt;") + "</p>");
// -->
</script>
</tt>