escape url on error page

webrecorder/webrecorder/maincontroller.py

@@ -333,7 +333,7 @@ def is_out_of_space(context):
         def trunc_url_expand(value):
             """ Truncate querystrings, appending an ellipses, expand on click
             """
-            trunc_value = '?<span class="truncate-expand" aria-role="button" title="Click to expand" onclick="this.innerHTML=\''+value.split('?')[-1]+'\'; this.classList.add(\'open\');">...</span>'
+            trunc_value = '?<span class="truncate-expand" aria-role="button" title="Click to expand" onclick="this.innerText=\''+value.split('?')[-1]+'\'; this.classList.add(\'open\');">...</span>'
             return re.sub(r'(\?.*)', trunc_value, value)
 
         def trunc_url(value):

webrecorder/webrecorder/templates/content_error.html

@@ -108,7 +108,7 @@ <h1>Resource not Found</h1>
                     <button id="bug-report" type="button" class="btn btn-default btn-xs" data-toggle="button" aria-pressed="false" autocomplete="off">Still missing? Report a bug.</button>
                 {% endif %}
 
-                <p>The url <b>{{ url|trunc_url_expand }}</b> was not found in the archive.</p>
+                <p>The url <b>{{ url|e|trunc_url_expand }}</b> was not found in the archive.</p>
             </div>
         </div>
     {% elif status == 402 %}
@@ -119,7 +119,7 @@ <h1>Resource not Found</h1>
             <div class="content-error-info">
                 <h1>This site could not be loaded</h1>
 
-                <p><b>{{ url|trunc_url }}</b></p>
+                <p><b>{{ url|e|trunc_url }}</b></p>
 
                 <p>Please double check that this url is valid.</p>
             </div>