From cd8bea94e61fa72a0a2ba7bc54d7b2d7b7572519 Mon Sep 17 00:00:00 2001
From: Jo-Philipp Wich <jo@mein.io>
Date: Fri, 10 Mar 2023 15:09:04 +0100
Subject: [PATCH] luci-base: dispatcher.lua: prevent XSS through 404 error
 template

Make sure to escape the user controlled URL passed as part of the error
message into the error404 template in order to avoid XSS.

Reported-by: 40826d <40826d@posteo.de>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
---
 modules/luci-base/luasrc/dispatcher.lua | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index a3726fb1c1..b190f5302f 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -1064,7 +1064,7 @@ function dispatch(request)
 			         "Install luci-mod-admin-full and retry. " ..
 			         "If the module is already installed, try removing the /tmp/luci-indexcache file.")
 		else
-			error404("No page is registered at '/" .. table.concat(lookup_ctx.request_path, "/") .. "'.\n" ..
+			error404("No page is registered at '/" .. xml.pcdata(table.concat(lookup_ctx.request_path, "/")) .. "'.\n" ..
 			         "If this url belongs to an extension, make sure it is properly installed.\n" ..
 			         "If the extension was recently installed, try removing the /tmp/luci-indexcache file.")
 		end
-- 
2.30.2