openwrt-mirror/luci
1
0
Fork 0
mirror of https://github.com/openwrt/luci.git synced 2025-12-21 19:14:34 +04:00
Code Issues Packages Projects Releases Wiki Activity

luci-base: dispatcher.uc: prevent XSS through 404 error template

Browse Source 
Make sure to escape the user controlled URL passed as part of the error
message into the error404 template in order to avoid XSS.

Reported-by: 40826d <40826d@posteo.de>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This commit is contained in:
Jo-Philipp Wich
2023-03-10 15:12:22 +01:00
parent debc3d396a
commit 24d7da2416
2 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
modules/luci-base/ucode/template/header.ut
View File

@@ -10,7 +10,7 @@
<script type="text/javascript" src="{{ resource }}/promis.min.js"></script>
<script type="text/javascript" src="{{ resource }}/luci.js"></script>
<script type="text/javascript">
L = new LuCI({{ {
L = new LuCI({{ replace(`${ {
media : media,
resource : resource,
scriptname : http.getenv("SCRIPT_NAME"),
@@ -28,5 +28,5 @@
apply_timeout : max(+config.apply.timeout || 5, 1),
apply_display : max(+config.apply.display || 1.5, 1),
rollback_token : rollback_token
} }});
} }`, '/', '\\/') }});
</script>