From 2787294ecfe5d005d836f08f724ced938ff14965 Mon Sep 17 00:00:00 2001
From: Guilhem Moulin <guilhem@fripost.org>
Date: Mon, 16 Mar 2015 16:20:21 +0100
Subject: JSON-encode error messages.

This ensures that control characters are escaped and defeats injection
attacks.
---
 xul-ext/chrome/content/icevault.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'xul-ext/chrome')

diff --git a/xul-ext/chrome/content/icevault.js b/xul-ext/chrome/content/icevault.js
index 2006e3a..fe2cb50 100644
--- a/xul-ext/chrome/content/icevault.js
+++ b/xul-ext/chrome/content/icevault.js
@@ -131,7 +131,7 @@ var icevault = (function() {
           send(state.outStream, 'OK');
         }
         catch (e if typeof e == "string" || e instanceof SyntaxError) {
-          send(state.outStream, 'ERROR ' + (typeof e == "string" ? e : e.message));
+          send(state.outStream, 'ERROR ' + JSON.stringify(typeof e == "string" ? e : e.message));
         }
         break;
 
@@ -142,7 +142,7 @@ var icevault = (function() {
         break;
 
       default:
-        send(state.outStream, 'ERROR Invalid command: ' + command);
+        send(state.outStream, 'ERROR ' + JSON.stringify('Invalid command: ' + command));
     }
   };
 
-- 
cgit v1.2.3