diff options
| author | 'Frédéric Buclin <LpSolit@gmail.com> | 2014-02-10 08:54:21 +0100 |
|---|---|---|
| committer | Byron Jones <bjones@mozilla.com> | 2014-02-10 08:54:21 +0100 |
| commit | 240db1a527f880948ab1d17f915e55c986ffc716 (patch) | |
| tree | 5156de06cca94efd7395b94c3c21990b7cda20cc | |
| parent | 55e336233dbd15d525b2f4717572b6ad6c010219 (diff) | |
| download | bugzilla-240db1a527f880948ab1d17f915e55c986ffc716.tar.gz bugzilla-240db1a527f880948ab1d17f915e55c986ffc716.tar.xz | |
Bug 926085: Forbird single quotes to delimit URLs (no <a href='...'>)
| -rw-r--r-- | t/004template.t | 16 | ||||
| -rw-r--r-- | template/en/default/admin/params/attachment.html.tmpl | 4 |
2 files changed, 17 insertions, 3 deletions
diff --git a/t/004template.t b/t/004template.t index ce18619e7..666ce5fa4 100644 --- a/t/004template.t +++ b/t/004template.t @@ -38,7 +38,7 @@ use CGI qw(-no_debug); use File::Spec; use Template; -use Test::More tests => ( scalar(@referenced_files) + $num_actual_files ); +use Test::More tests => ( scalar(@referenced_files) + 2 * $num_actual_files ); # Capture the TESTOUT from Test::More or Test::Builder for printing errors. # This will handle verbosity for us automatically. @@ -123,6 +123,20 @@ foreach my $include_path (@include_paths) { ok(0, "$path has bad syntax --ERROR"); print $fh $data . "\n"; } + + # Make sure no forbidden constructs are present. + local $/; + open(FILE, '<', $path) or die "Can't open $file: $!\n"; + $data = <FILE>; + close (FILE); + + # Forbid single quotes to delimit URLs, see bug 926085. + if ($data =~ /href=\\?'/) { + ok(0, "$path contains blacklisted constructs: href='...'"); + } + else { + ok(1, "$path contains no blacklisted constructs"); + } } } diff --git a/template/en/default/admin/params/attachment.html.tmpl b/template/en/default/admin/params/attachment.html.tmpl index 69f62e9be..4075374bc 100644 --- a/template/en/default/admin/params/attachment.html.tmpl +++ b/template/en/default/admin/params/attachment.html.tmpl @@ -63,13 +63,13 @@ maxattachmentsize => "The maximum size (in kilobytes) of attachments to be stored " _ "in the database. If a file larger than this size is attached " _ "to ${terms.abug}, $terms.Bugzilla will look at the " _ - "<a href='#maxlocalattachment'><tt>maxlocalattachment</tt> parameter</a> " _ + "<a href=\"#maxlocalattachment\"><tt>maxlocalattachment</tt> parameter</a> " _ "to determine if the file can be stored locally on the web server. " _ "If the file size exceeds both limits, then the attachment is rejected. " _ "Settings both parameters to 0 will prevent attaching files to ${terms.bugs}.", maxlocalattachment => "The maximum size (in megabytes) of attachments to be stored " _ "locally on the web server. If set to a value lower than the " _ - "<a href='#maxattachmentsize'><tt>maxattachmentsize</tt> parameter</a>, " _ + "<a href=\"#maxattachmentsize\"><tt>maxattachmentsize</tt> parameter</a>, " _ "attachments will never be kept on the local filesystem." } %] |