Make sure to escape the user controlled URL passed as part of the error
message into the error404 template in order to avoid XSS.
Reported-by: 40826d <40826d@posteo.de>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
"Install luci-mod-admin-full and retry. " +
"If the module is already installed, try removing the /tmp/luci-indexcache file.");
else
- error404(`No page is registered at '/${join("/", resolved.ctx.request_path)}'.\n` +
+ error404(`No page is registered at '/${entityencode(join("/", resolved.ctx.request_path))}'.\n` +
"If this url belongs to an extension, make sure it is properly installed.\n" +
"If the extension was recently installed, try removing the /tmp/luci-indexcache file.");
break;
<script type="text/javascript" src="{{ resource }}/promis.min.js"></script>
<script type="text/javascript" src="{{ resource }}/luci.js"></script>
<script type="text/javascript">
- L = new LuCI({{ {
+ L = new LuCI({{ replace(`${ {
media : media,
resource : resource,
scriptname : http.getenv("SCRIPT_NAME"),
apply_timeout : max(+config.apply.timeout || 5, 1),
apply_display : max(+config.apply.display || 1.5, 1),
rollback_token : rollback_token
- } }});
+ } }`, '/', '\\/') }});
</script>