From 2787294ecfe5d005d836f08f724ced938ff14965 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Mon, 16 Mar 2015 16:20:21 +0100 Subject: JSON-encode error messages. This ensures that control characters are escaped and defeats injection attacks. --- xul-ext/chrome/content/icevault.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'xul-ext/chrome') diff --git a/xul-ext/chrome/content/icevault.js b/xul-ext/chrome/content/icevault.js index 2006e3a..fe2cb50 100644 --- a/xul-ext/chrome/content/icevault.js +++ b/xul-ext/chrome/content/icevault.js @@ -131,7 +131,7 @@ var icevault = (function() { send(state.outStream, 'OK'); } catch (e if typeof e == "string" || e instanceof SyntaxError) { - send(state.outStream, 'ERROR ' + (typeof e == "string" ? e : e.message)); + send(state.outStream, 'ERROR ' + JSON.stringify(typeof e == "string" ? e : e.message)); } break; @@ -142,7 +142,7 @@ var icevault = (function() { break; default: - send(state.outStream, 'ERROR Invalid command: ' + command); + send(state.outStream, 'ERROR ' + JSON.stringify('Invalid command: ' + command)); } }; -- cgit v1.2.3