diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2013-10-16 19:26:25 +0200 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2013-10-16 19:26:25 +0200 |
commit | 3b9eb2e03904a12cf38268b2527742e5ede7f305 (patch) | |
tree | 6a6c5674534e3cbb745d4a617b34b153517d4ac7 | |
parent | 53eeca9fc9a12ae23a0aa66f1b38021e93d4f03c (diff) | |
download | bugzilla-3b9eb2e03904a12cf38268b2527742e5ede7f305.tar.gz bugzilla-3b9eb2e03904a12cf38268b2527742e5ede7f305.tar.xz |
Bug 924932: (CVE-2013-1743) [SECURITY] Field values are (still) not escaped correctly in tabular reports
r=dkl a=glob
-rw-r--r-- | template/en/default/reports/report-table.html.tmpl | 38 |
1 files changed, 24 insertions, 14 deletions
diff --git a/template/en/default/reports/report-table.html.tmpl b/template/en/default/reports/report-table.html.tmpl index b41753550..cef47c2d9 100644 --- a/template/en/default/reports/report-table.html.tmpl +++ b/template/en/default/reports/report-table.html.tmpl @@ -47,32 +47,42 @@ [% END %] <script type="text/javascript"> +function bz_encode (str, decode) { + // First decode HTML entities, if requested. + if (decode) + str = str.replace(/</g, "<").replace(/>/g, ">").replace(/"/g, '"') + .replace(/ /g, " ").replace(/&/g, "&").replace(/\s+$/,""); + + // encodeURIComponent() doesn't escape single quotes. + return encodeURIComponent(str).replace(/'/g, escape); +}; + YAHOO.util.Event.addListener(window, "load", function() { this.Linkify = function(elLiner, oRecord, oColumn, oData) { if (oData == 0) elLiner.innerHTML = "."; else if (oRecord.getData("row_title") == "Total") - elLiner.innerHTML = "<a href='[% urlbase %]&[% col_field FILTER js %]=" - + oColumn.field + "[% '&' _ row_vals IF row_vals %]'>" - + oData + "</a>"; + elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&[% col_field FILTER uri FILTER js %]=' + + bz_encode(oColumn.field) + + '[% "&" _ row_vals IF row_vals %]">' + oData + '</a>'; else - elLiner.innerHTML = "<a href='[% urlbase %]&[% row_field FILTER js %]=" - + oRecord.getData("row_title").replace(/\s+$/,"") - + "&[% col_field FILTER js %]=" + oColumn.field - + "'>" + oData + "</a>"; + elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&[% row_field FILTER uri FILTER js %]=' + + bz_encode(oRecord.getData("row_title"), 1) + + '&[% col_field FILTER uri FILTER js %]=' + + bz_encode(oColumn.field) + '">' + oData + '</a>'; }; this.LinkifyTotal = function(elLiner, oRecord, oColumn, oData) { if (oData == 0) elLiner.innerHTML = "."; else if (oRecord.getData("row_title") == "Total") - elLiner.innerHTML = "<a href='[% urlbase %][% '&' _ row_vals IF row_vals %] - [%~ '&' _ col_vals IF col_vals %]'>" - + oData + "</a>"; + elLiner.innerHTML = '<a href="[% urlbase FILTER js %][% "&" _ row_vals IF row_vals %] + [%~ "&" _ col_vals IF col_vals %]">' + + oData + '</a>'; else - elLiner.innerHTML = "<a href='[% urlbase %]&[% row_field FILTER js %]=" - + oRecord.getData("row_title").replace(/\s+$/,"") - + "[% '&' _ col_vals IF col_vals %]'>" + oData + "</a>"; + elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&[% row_field FILTER uri FILTER js %]=' + + bz_encode(oRecord.getData("row_title"), 1) + + '[% "&" _ col_vals IF col_vals %]">' + oData + '</a>'; YAHOO.util.Dom.addClass(elLiner.parentNode, "ttotal"); }; @@ -164,7 +174,7 @@ YAHOO.util.Event.addListener(window, "load", function() { [% col_idx = 0 %] [% row_idx = 0 %] [% grand_total = 0 %] -<div id="tabular_report_container_[% tbl FILTER js %]"> +<div id="tabular_report_container_[% tbl FILTER html %]"> <table id="tabular_report" border="1"> [% IF col_field %] <thead> |