luci-base: dispatcher.lua: prevent XSS through 404 error template

Make sure to escape the user controlled URL passed as part of the error
message into the error404 template in order to avoid XSS.

Reported-by: 40826d <40826d@posteo.de>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index a3726fb1c11d75ca9a14f9ac6565b2f2b6acfe85..b190f5302f68bee4de533f0ed61fd6ab5aad76ff 100644 (file)
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -1064,7 +1064,7 @@ function dispatch(request)
                                 "Install luci-mod-admin-full and retry. " ..
                                 "If the module is already installed, try removing the /tmp/luci-indexcache file.")
                else
-                       error404("No page is registered at '/" .. table.concat(lookup_ctx.request_path, "/") .. "'.\n" ..
+                       error404("No page is registered at '/" .. xml.pcdata(table.concat(lookup_ctx.request_path, "/")) .. "'.\n" ..
                                 "If this url belongs to an extension, make sure it is properly installed.\n" ..
                                 "If the extension was recently installed, try removing the /tmp/luci-indexcache file.")
                end