luci-base: dispatcher.uc: prevent XSS through 404 error template

Make sure to escape the user controlled URL passed as part of the error
message into the error404 template in order to avoid XSS.

Reported-by: 40826d <40826d@posteo.de>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

modules/luci-base/ucode/dispatcher.uc

@@ -845,7 +845,7 @@ function run_action(request_path, lang, tree, resolved, action) {
 			         "Install luci-mod-admin-full and retry. " +
 			         "If the module is already installed, try removing the /tmp/luci-indexcache file.");
 		else
-			error404(`No page is registered at '/${join("/", resolved.ctx.request_path)}'.\n` +
+			error404(`No page is registered at '/${entityencode(join("/", resolved.ctx.request_path))}'.\n` +
 			         "If this url belongs to an extension, make sure it is properly installed.\n" +
 			         "If the extension was recently installed, try removing the /tmp/luci-indexcache file.");
 		break;

modules/luci-base/ucode/template/header.ut

@@ -10,7 +10,7 @@
 <script type="text/javascript" src="{{ resource }}/promis.min.js"></script>
 <script type="text/javascript" src="{{ resource }}/luci.js"></script>
 <script type="text/javascript">
-	L = new LuCI({{ {
+	L = new LuCI({{ replace(`${ {
 		media          : media,
 		resource       : resource,
 		scriptname     : http.getenv("SCRIPT_NAME"),
@@ -28,5 +28,5 @@
 		apply_timeout  : max(+config.apply.timeout  ||   5,  1),
 		apply_display  : max(+config.apply.display  || 1.5,  1),
 		rollback_token : rollback_token
-	} }});
+	} }`, '/', '\\/') }});
 </script>