luci-base: dispatcher.uc: prevent XSS through 404 error template

Make sure to escape the user controlled URL passed as part of the error message into the error404 template in order to avoid XSS. Reported-by: 40826d <40826d@posteo.de> Signed-off-by: Jo-Philipp Wich <jo@mein.io>
author: Jo-Philipp Wich <jo@mein.io> 2023-03-10 15:12:22 +0100
committer: Jo-Philipp Wich <jo@mein.io> 2023-03-10 15:36:09 +0100
commit: 24d7da2416b9ab246825c33c213fe939a89b369c (patch)
tree: 1915573df5fc6256cad4a19598781f65d29ca3f3 /modules/luci-base/ucode/template/header.ut
parent: debc3d396ae0340c7ee221a4fb45a5600d348ed1 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/modules/luci-base/ucode/template/header.ut b/modules/luci-base/ucode/template/header.ut
index e87560010f..7dc3742a9d 100644
--- a/modules/luci-base/ucode/template/header.ut
+++ b/modules/luci-base/ucode/template/header.ut
@@ -10,7 +10,7 @@
 <script type="text/javascript" src="{{ resource }}/promis.min.js"></script>
 <script type="text/javascript" src="{{ resource }}/luci.js"></script>
 <script type="text/javascript">
-	L = new LuCI({{ {
+	L = new LuCI({{ replace(`${ {
 		media          : media,
 		resource       : resource,
 		scriptname     : http.getenv("SCRIPT_NAME"),
@@ -28,5 +28,5 @@
 		apply_timeout  : max(+config.apply.timeout  ||   5,  1),
 		apply_display  : max(+config.apply.display  || 1.5,  1),
 		rollback_token : rollback_token
-	} }});
+	} }`, '/', '\\/') }});
 </script>
author	Jo-Philipp Wich <jo@mein.io>	2023-03-10 15:12:22 +0100
committer	Jo-Philipp Wich <jo@mein.io>	2023-03-10 15:36:09 +0100
commit	24d7da2416b9ab246825c33c213fe939a89b369c (patch)
tree	1915573df5fc6256cad4a19598781f65d29ca3f3 /modules/luci-base/ucode/template/header.ut
parent	debc3d396ae0340c7ee221a4fb45a5600d348ed1 (diff)