[Security] Fixes possible XSS in login.lua referer param

Fixes XSS1 | Reflected URL http://192.168.2.200:3000/lua/login.lua?referer=%27%3E%3Cscript%3Ealert(1)%3C/script%3E METHOD Get PARAMETER referer PAYLOAD '><script>alert(1)</script>
2026-05-01 00:19:33 +00:00 · 2019-03-14 11:35:35 +01:00 · 2019-03-14 11:35:35 +01:00 · 5a67bf6e43
commit 5a67bf6e43
parent 37b8a80498
1 changed files with 6 additions and 1 deletions
--- a/scripts/lua/modules/http_lint.lua
+++ b/scripts/lua/modules/http_lint.lua
@ -1552,7 +1552,12 @@ function http_lint.validationError(t, param, value, message)
   -- TODO graceful exit
   local s_id
   if t == _GET then s_id = "_GET" else s_id = "_POST" end
-   error("[LINT] " .. s_id .. "[\"" .. param .. "\"] = \"" .. (value or 'nil') .. "\" parameter error: " .. message)
+
+   -- Must use urlencode to print these values or an attacker could perform XSS.
+   -- Indeed, the web page returned by mongoose will show the error below and
+   -- one could place something like '><script>alert(1)</script> in the value
+   -- to close the html and execute a script
+   error("[LINT] " .. s_id .. "[\"" .. urlencode(param) .. "\"] = \"" .. urlencode(value or 'nil') .. "\" parameter error: " .. message.."")
 end

 -- #################################################################