diff options
author | lpsolit%gmail.com <> | 2009-07-16 03:30:48 +0200 |
---|---|---|
committer | lpsolit%gmail.com <> | 2009-07-16 03:30:48 +0200 |
commit | b3f8306d6efb33e6a73d45a2e04d4679cbc17660 (patch) | |
tree | e6675a8c7aeff8fe97f4cc5ffdfcbe283c65f20e | |
parent | 8a3a795c12e95481e7dd7b169495ecb5154d120b (diff) | |
download | bugzilla-b3f8306d6efb33e6a73d45a2e04d4679cbc17660.tar.gz bugzilla-b3f8306d6efb33e6a73d45a2e04d4679cbc17660.tar.xz |
Bug 476305: Clean up and merge HTML filtering code - Patch by Vitaly Fedrushkov <vitaly.fedrushkov@gmail.com> r/a=LpSolit
-rw-r--r-- | Bugzilla/Template.pm | 34 | ||||
-rw-r--r-- | Bugzilla/Util.pm | 41 | ||||
-rw-r--r-- | t/007util.t | 2 |
3 files changed, 36 insertions, 41 deletions
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 48cd90508..d7ebfc055 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -641,39 +641,7 @@ sub create { 1 ], - # Bug 120030: Override html filter to obscure the '@' in user - # visible strings. - # Bug 319331: Handle BiDi disruptions. - html => sub { - my ($var) = Template::Filters::html_filter(@_); - # Obscure '@'. - $var =~ s/\@/\@/g; - if (Bugzilla->params->{'utf8'}) { - # Remove the following characters because they're - # influencing BiDi: - # -------------------------------------------------------- - # |Code |Name |UTF-8 representation| - # |------|--------------------------|--------------------| - # |U+202a|Left-To-Right Embedding |0xe2 0x80 0xaa | - # |U+202b|Right-To-Left Embedding |0xe2 0x80 0xab | - # |U+202c|Pop Directional Formatting|0xe2 0x80 0xac | - # |U+202d|Left-To-Right Override |0xe2 0x80 0xad | - # |U+202e|Right-To-Left Override |0xe2 0x80 0xae | - # -------------------------------------------------------- - # - # The following are characters influencing BiDi, too, but - # they can be spared from filtering because they don't - # influence more than one character right or left: - # -------------------------------------------------------- - # |Code |Name |UTF-8 representation| - # |------|--------------------------|--------------------| - # |U+200e|Left-To-Right Mark |0xe2 0x80 0x8e | - # |U+200f|Right-To-Left Mark |0xe2 0x80 0x8f | - # -------------------------------------------------------- - $var =~ s/[\x{202a}-\x{202e}]//g; - } - return $var; - }, + html => \&Bugzilla::Util::html_quote, html_light => \&Bugzilla::Util::html_light_quote, diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index b3d5b0eaa..55ec6dcf8 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -55,6 +55,7 @@ use DateTime::TimeZone; use Digest; use Email::Address; use Scalar::Util qw(tainted); +use Template::Filters; use Text::Wrap; sub trick_taint { @@ -81,12 +82,37 @@ sub detaint_signed { return (defined($_[0])); } +# Bug 120030: Override html filter to obscure the '@' in user +# visible strings. +# Bug 319331: Handle BiDi disruptions. sub html_quote { - my ($var) = (@_); - $var =~ s/\&/\&/g; - $var =~ s/</\</g; - $var =~ s/>/\>/g; - $var =~ s/\"/\"/g; + my ($var) = Template::Filters::html_filter(@_); + # Obscure '@'. + $var =~ s/\@/\@/g; + if (Bugzilla->params->{'utf8'}) { + # Remove the following characters because they're + # influencing BiDi: + # -------------------------------------------------------- + # |Code |Name |UTF-8 representation| + # |------|--------------------------|--------------------| + # |U+202a|Left-To-Right Embedding |0xe2 0x80 0xaa | + # |U+202b|Right-To-Left Embedding |0xe2 0x80 0xab | + # |U+202c|Pop Directional Formatting|0xe2 0x80 0xac | + # |U+202d|Left-To-Right Override |0xe2 0x80 0xad | + # |U+202e|Right-To-Left Override |0xe2 0x80 0xae | + # -------------------------------------------------------- + # + # The following are characters influencing BiDi, too, but + # they can be spared from filtering because they don't + # influence more than one character right or left: + # -------------------------------------------------------- + # |Code |Name |UTF-8 representation| + # |------|--------------------------|--------------------| + # |U+200e|Left-To-Right Mark |0xe2 0x80 0x8e | + # |U+200f|Right-To-Left Mark |0xe2 0x80 0x8f | + # -------------------------------------------------------- + $var =~ s/[\x{202a}-\x{202e}]//g; + } return $var; } @@ -745,8 +771,9 @@ be done in the template where possible. =item C<html_quote($val)> -Returns a value quoted for use in HTML, with &, E<lt>, E<gt>, and E<34> being -replaced with their appropriate HTML entities. +Returns a value quoted for use in HTML, with &, E<lt>, E<gt>, E<34> and @ being +replaced with their appropriate HTML entities. Also, Unicode BiDi controls are +deleted. =item C<html_light_quote($val)> diff --git a/t/007util.t b/t/007util.t index c0433639b..af36e94ac 100644 --- a/t/007util.t +++ b/t/007util.t @@ -45,7 +45,7 @@ my $tz = Bugzilla->local_timezone->short_name_for_datetime(DateTime->new(year => # XXX: test taint functions #html_quote(): -is(html_quote("<lala&>"),"<lala&>",'html_quote'); +is(html_quote("<lala&@>"),"<lala&@>",'html_quote'); #url_quote(): is(url_quote("<lala&>gaa\"'[]{\\"),"%3Clala%26%3Egaa%22%27%5B%5D%7B%5C",'url_quote'); |