Bug 351994: Messages shouldn't contain HTML characters unless we're in USAGE_MODE_BROWSER

Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=ghendricks, a=myk

5 files changed, 28 insertions, 4 deletions

diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index b54c4a0f2..7149828ef 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -760,6 +760,22 @@ sub create {
                      1
                      ],
 
+            # Note that using this filter is even more dangerous than
+            # using "none," and you should only use it when you're SURE
+            # the output won't be displayed directly to a web browser.
+            txt => sub {
+                my ($var) = @_;
+                # Trivial HTML tag remover
+                $var =~ s/<[^>]*>//g;
+                # And this basically reverses the html filter.
+                $var =~ s/\&#64;/@/g;
+                $var =~ s/\&lt;/</g;
+                $var =~ s/\&gt;/>/g;
+                $var =~ s/\&quot;/\"/g;
+                $var =~ s/\&amp;/\&/g;
+                return $var;
+            },
+
             # Wrap a displayed comment to the appropriate length
             wrap_comment => \&Bugzilla::Util::wrap_comment,
 
diff --git a/t/008filter.t b/t/008filter.t
index 02d4d4a7e..66f4b7c97 100644
--- a/t/008filter.t
+++ b/t/008filter.t
@@ -225,7 +225,7 @@ sub directive_ok {
     return 1 if $directive =~ /FILTER\ (html|csv|js|base64|url_quote|css_class_quote|
                                         ics|quoteUrls|time|uri|xml|lower|
                                         obsolete|inactive|closed|unitconvert|
-                                        none)\b/x;
+                                        txt|none)\b/x;
 
     return 0;
 }
diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index 63ce0ffab..f6ccae754 100644
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -434,7 +434,11 @@
 [%# We only want HTML error messages for ERROR_MODE_WEBPAGE %]
 [% USE Bugzilla %]
 [% IF Bugzilla.error_mode != constants.ERROR_MODE_WEBPAGE %]
-  [% error_message FILTER none %]
+  [% IF Bugzilla.usage_mode == constants.USAGE_MODE_BROWSER %]
+    [% error_message FILTER none %]
+  [% ELSE %]
+    [% error_message FILTER txt %]
+  [% END %]
   [% RETURN %]
 [% END %]
 
diff --git a/template/en/default/global/message.txt.tmpl b/template/en/default/global/message.txt.tmpl
index fc0ec1977..e8ec1e510 100644
--- a/template/en/default/global/message.txt.tmpl
+++ b/template/en/default/global/message.txt.tmpl
@@ -23,4 +23,4 @@
 [%# Yes, this may show some HTML. But it's the best we
   # can do at the moment. %]
 [% PROCESS global/messages.html.tmpl %]
-[% message %]
+[% message FILTER txt %]
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index a9706376b..646da5f75 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1483,7 +1483,11 @@
 [%# We only want HTML error messages for ERROR_MODE_WEBPAGE %]
 [% USE Bugzilla %]
 [% IF Bugzilla.error_mode != constants.ERROR_MODE_WEBPAGE %]
-  [% error_message FILTER none %]
+  [% IF Bugzilla.usage_mode == constants.USAGE_MODE_BROWSER %]
+    [% error_message FILTER none %]
+  [% ELSE %]
+    [% error_message FILTER txt %]
+  [% END %]
   [% RETURN %]
 [% END %]