Skip to content

bugzilla
bugzilla
Commit ed09207e authored by gerv%gerv.net's avatar gerv%gerv.net
Browse files
Options

Bug 272620: avoid XSS problem with internal error messages. Patch by gerv; r=justdave; a=justdave.

parent a90c06d0
Hide whitespace changes
Inline Side-by-side
Showing with 8 additions and 2 deletions
Bugzilla/Error.pm
View file @ ed09207e
...@@ -118,7 +118,10 @@ sub ThrowTemplateError { ...@@ -118,7 +118,10 @@ sub ThrowTemplateError {
time this message appeared. time this message appeared.
</p> </p>
<script type="text/javascript"> <!-- <script type="text/javascript"> <!--
document.write("<p>URL: " + document.location + "</p>"); document.write("<p>URL: " +
document.location.href.replace(/&/g,"&amp;")
.replace(/</g,"&lt;")
.replace(/>/g,"&gt;") + "</p>");
// --> // -->
</script> </script>
<p>Template->process() failed twice.<br> <p>Template->process() failed twice.<br>
......
template/en/default/global/code-error.html.tmpl
View file @ ed09207e
...@@ -256,7 +256,10 @@ ...@@ -256,7 +256,10 @@
the time this message appeared. the time this message appeared.
</p> </p>
<script type="text/javascript"> <!-- <script type="text/javascript"> <!--
document.write("<p>URL: " + document.location + "</p>"); document.write("<p>URL: " +
document.location.href.replace(/&/g,"&amp;")
.replace(/</g,"&lt;")
.replace(/>/g,"&gt;") + "</p>");
// --> // -->
</script> </script>
</tt> </tt>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment