summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
author'Frédéric Buclin <LpSolit@gmail.com>2014-02-10 08:54:21 +0100
committerByron Jones <bjones@mozilla.com>2014-02-10 08:54:21 +0100
commit240db1a527f880948ab1d17f915e55c986ffc716 (patch)
tree5156de06cca94efd7395b94c3c21990b7cda20cc
parent55e336233dbd15d525b2f4717572b6ad6c010219 (diff)
downloadbugzilla-240db1a527f880948ab1d17f915e55c986ffc716.tar.gz
bugzilla-240db1a527f880948ab1d17f915e55c986ffc716.tar.xz
Bug 926085: Forbird single quotes to delimit URLs (no <a href='...'>)
-rw-r--r--t/004template.t16
-rw-r--r--template/en/default/admin/params/attachment.html.tmpl4
2 files changed, 17 insertions, 3 deletions
diff --git a/t/004template.t b/t/004template.t
index ce18619e7..666ce5fa4 100644
--- a/t/004template.t
+++ b/t/004template.t
@@ -38,7 +38,7 @@ use CGI qw(-no_debug);
use File::Spec;
use Template;
-use Test::More tests => ( scalar(@referenced_files) + $num_actual_files );
+use Test::More tests => ( scalar(@referenced_files) + 2 * $num_actual_files );
# Capture the TESTOUT from Test::More or Test::Builder for printing errors.
# This will handle verbosity for us automatically.
@@ -123,6 +123,20 @@ foreach my $include_path (@include_paths) {
ok(0, "$path has bad syntax --ERROR");
print $fh $data . "\n";
}
+
+ # Make sure no forbidden constructs are present.
+ local $/;
+ open(FILE, '<', $path) or die "Can't open $file: $!\n";
+ $data = <FILE>;
+ close (FILE);
+
+ # Forbid single quotes to delimit URLs, see bug 926085.
+ if ($data =~ /href=\\?'/) {
+ ok(0, "$path contains blacklisted constructs: href='...'");
+ }
+ else {
+ ok(1, "$path contains no blacklisted constructs");
+ }
}
}
diff --git a/template/en/default/admin/params/attachment.html.tmpl b/template/en/default/admin/params/attachment.html.tmpl
index 69f62e9be..4075374bc 100644
--- a/template/en/default/admin/params/attachment.html.tmpl
+++ b/template/en/default/admin/params/attachment.html.tmpl
@@ -63,13 +63,13 @@
maxattachmentsize => "The maximum size (in kilobytes) of attachments to be stored " _
"in the database. If a file larger than this size is attached " _
"to ${terms.abug}, $terms.Bugzilla will look at the " _
- "<a href='#maxlocalattachment'><tt>maxlocalattachment</tt> parameter</a> " _
+ "<a href=\"#maxlocalattachment\"><tt>maxlocalattachment</tt> parameter</a> " _
"to determine if the file can be stored locally on the web server. " _
"If the file size exceeds both limits, then the attachment is rejected. " _
"Settings both parameters to 0 will prevent attaching files to ${terms.bugs}.",
maxlocalattachment => "The maximum size (in megabytes) of attachments to be stored " _
"locally on the web server. If set to a value lower than the " _
- "<a href='#maxattachmentsize'><tt>maxattachmentsize</tt> parameter</a>, " _
+ "<a href=\"#maxattachmentsize\"><tt>maxattachmentsize</tt> parameter</a>, " _
"attachments will never be kept on the local filesystem." }
%]