From 24d7da2416b9ab246825c33c213fe939a89b369c Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Fri, 10 Mar 2023 15:12:22 +0100
Subject: luci-base: dispatcher.uc: prevent XSS through 404 error template

Make sure to escape the user controlled URL passed as part of the error
message into the error404 template in order to avoid XSS.

Reported-by: 40826d <40826d@posteo.de>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 modules/luci-base/ucode/template/header.ut | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'modules/luci-base/ucode/template/header.ut')

diff --git a/modules/luci-base/ucode/template/header.ut b/modules/luci-base/ucode/template/header.ut
index e87560010f..7dc3742a9d 100644
--- a/modules/luci-base/ucode/template/header.ut
+++ b/modules/luci-base/ucode/template/header.ut
@@ -10,7 +10,7 @@
 <script type="text/javascript" src="{{ resource }}/promis.min.js"></script>
 <script type="text/javascript" src="{{ resource }}/luci.js"></script>
 <script type="text/javascript">
-	L = new LuCI({{ {
+	L = new LuCI({{ replace(`${ {
 		media          : media,
 		resource       : resource,
 		scriptname     : http.getenv("SCRIPT_NAME"),
@@ -28,5 +28,5 @@
 		apply_timeout  : max(+config.apply.timeout  ||   5,  1),
 		apply_display  : max(+config.apply.display  || 1.5,  1),
 		rollback_token : rollback_token
-	} }});
+	} }`, '/', '\\/') }});
 </script>
-- 
cgit v1.2.3