security: support for clean & safe error handling on IE 11

Added pad_utils sanitization for clean and safe error handling on browsers that do not encode the path of the URL. Edited by muxator based on https://github.com/ether/etherpad-lite/pull/3647, to be able to apply the patch on develop (the PR was for master), and perform minor cleanups (mainly spurious statements). Closes #3647.
2019-10-18 21:00:11 +01:00 · 2019-10-18 21:00:11 +01:00 · 5879037ddc
parent c65c5f17aa
commit 5879037ddc
1 changed files with 3 additions and 1 deletions
--- a/src/templates/pad.html
+++ b/src/templates/pad.html
@ -361,6 +361,8 @@

        <% e.begin_block("scripts"); %>
        <script type="text/javascript">
+            var padutils = require('../static/js/pad_utils').padutils;
+
            // @license magnet:?xt=urn:btih:8e4f440f4c65981c5bf93c76d35135ba5064d8b7&dn=apache-2.0.txt
            (function() {
              // Display errors on page load to the user
@ -370,7 +372,7 @@
                var box   = document.getElementById('editorloadingbox');
                box.innerHTML = '<p><b>An error occurred while loading the pad</b></p>'
                              + '<p><b>'+msg+'</b> '
-                              + '<small>in '+ url +' (line '+ line +')</small></p>';
+                              + '<small>in '+ padutils.escapeHTML(url) +' (line '+ line +')</small></p>';
                // call original error handler
                if(typeof(originalHandler) == 'function') originalHandler.call(null, arguments);
              };