Bug 272620: avoid XSS problem with internal error messages. Patch by gerv; r=justdave; a=justdave.

webtools/bugzilla/Bugzilla/Error.pm

@@ -118,7 +118,10 @@ sub ThrowTemplateError {
             time this message appeared.
           </p>
           <script type="text/javascript"> <!--
-            document.write("<p>URL: " + document.location + "</p>");
+          document.write("<p>URL: " + 
+                          document.location.href.replace(/&/g,"&amp;")
+                                                .replace(/</g,"&lt;")
+                                                .replace(/>/g,"&gt;") + "</p>");
           // -->
           </script>
           <p>Template->process() failed twice.<br>

webtools/bugzilla/template/en/default/global/code-error.html.tmpl

@@ -256,7 +256,10 @@
     the time this message appeared.
   </p>
   <script type="text/javascript"> <!--
-    document.write("<p>URL: " + document.location + "</p>");
+    document.write("<p>URL: " + 
+                    document.location.href.replace(/&/g,"&amp;")
+                                          .replace(/</g,"&lt;")
+                                          .replace(/>/g,"&gt;") + "</p>");
   // -->
   </script>
 </tt>