security: support for clean & safe error handling on IE 11

Added pad_utils sanitization for clean and safe error handling on browsers that
do not encode the path of the URL.

Edited by muxator based on https://github.com/ether/etherpad-lite/pull/3647,
to be able to apply the patch on develop (the PR was for master), and perform
minor cleanups (mainly spurious statements).

Closes #3647.
pull/3644/head
aaron-costello 2019-10-18 21:00:11 +01:00
parent c65c5f17aa
commit 5879037ddc
1 changed files with 3 additions and 1 deletions

View File

@ -361,6 +361,8 @@
<% e.begin_block("scripts"); %>
<script type="text/javascript">
var padutils = require('../static/js/pad_utils').padutils;
// @license magnet:?xt=urn:btih:8e4f440f4c65981c5bf93c76d35135ba5064d8b7&dn=apache-2.0.txt
(function() {
// Display errors on page load to the user
@ -370,7 +372,7 @@
var box = document.getElementById('editorloadingbox');
box.innerHTML = '<p><b>An error occurred while loading the pad</b></p>'
+ '<p><b>'+msg+'</b> '
+ '<small>in '+ url +' (line '+ line +')</small></p>';
+ '<small>in '+ padutils.escapeHTML(url) +' (line '+ line +')</small></p>';
// call original error handler
if(typeof(originalHandler) == 'function') originalHandler.call(null, arguments);
};