luci-base: dispatcher.uc: prevent XSS through 404 error template

Make sure to escape the user controlled URL passed as part of the error
message into the error404 template in order to avoid XSS.

Reported-by: 40826d <40826d@posteo.de>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

2 files changed, 3 insertions, 3 deletions

diff --git a/modules/luci-base/ucode/dispatcher.uc b/modules/luci-base/ucode/dispatcher.uc
index 24769f0037..39af8375ea 100644
--- a/modules/luci-base/ucode/dispatcher.uc
+++ b/modules/luci-base/ucode/dispatcher.uc
@@ -845,7 +845,7 @@ function run_action(request_path, lang, tree, resolved, action) {
 			         "Install luci-mod-admin-full and retry. " +
 			         "If the module is already installed, try removing the /tmp/luci-indexcache file.");
 		else
-			error404(`No page is registered at '/${join("/", resolved.ctx.request_path)}'.\n` +
+			error404(`No page is registered at '/${entityencode(join("/", resolved.ctx.request_path))}'.\n` +
 			         "If this url belongs to an extension, make sure it is properly installed.\n" +
 			         "If the extension was recently installed, try removing the /tmp/luci-indexcache file.");
 		break;
diff --git a/modules/luci-base/ucode/template/header.ut b/modules/luci-base/ucode/template/header.ut
index e87560010f..7dc3742a9d 100644
--- a/modules/luci-base/ucode/template/header.ut
+++ b/modules/luci-base/ucode/template/header.ut
@@ -10,7 +10,7 @@
 <script type="text/javascript" src="{{ resource }}/promis.min.js"></script>
 <script type="text/javascript" src="{{ resource }}/luci.js"></script>
 <script type="text/javascript">
-	L = new LuCI({{ {
+	L = new LuCI({{ replace(`${ {
 		media          : media,
 		resource       : resource,
 		scriptname     : http.getenv("SCRIPT_NAME"),
@@ -28,5 +28,5 @@
 		apply_timeout  : max(+config.apply.timeout  ||   5,  1),
 		apply_display  : max(+config.apply.display  || 1.5,  1),
 		rollback_token : rollback_token
-	} }});
+	} }`, '/', '\\/') }});
 </script>