diff options
| author | Max Kanat-Alexander <mkanat@bugzilla.org> | 2010-05-19 19:20:09 +0200 |
|---|---|---|
| committer | Max Kanat-Alexander <mkanat@bugzilla.org> | 2010-05-19 19:20:09 +0200 |
| commit | 401b0d1301cf419ff40d7cb82d2763b13accd26a (patch) | |
| tree | 6f88f573c4cdae792ff04cc5c4510c0587540f7e | |
| parent | 4095f06769a8fb3ce0878209508a6f129b099d91 (diff) | |
| download | bugzilla-401b0d1301cf419ff40d7cb82d2763b13accd26a.tar.gz bugzilla-401b0d1301cf419ff40d7cb82d2763b13accd26a.tar.xz | |
Bug 565899: Make the html_linebreak filter safe by having it first call the
"html" filter
r=LpSolit, a=LpSolit
| -rw-r--r-- | Bugzilla/Template.pm | 1 | ||||
| -rw-r--r-- | t/008filter.t | 2 | ||||
| -rw-r--r-- | template/en/default/global/code-error.html.tmpl | 2 | ||||
| -rw-r--r-- | template/en/default/global/hidden-fields.html.tmpl | 2 |
4 files changed, 4 insertions, 3 deletions
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 71370a8c1..274ed8847 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -532,6 +532,7 @@ sub create { # See bugs 4928, 22983 and 32000 for more details html_linebreak => sub { my ($var) = @_; + $var = html_quote($var); $var =~ s/\r\n/\
/g; $var =~ s/\n\r/\
/g; $var =~ s/\r/\
/g; diff --git a/t/008filter.t b/t/008filter.t index e6ae4c13a..5a5b223c8 100644 --- a/t/008filter.t +++ b/t/008filter.t @@ -226,7 +226,7 @@ sub directive_ok { return 1 if $directive =~ /FILTER\ (html|csv|js|base64|url_quote|css_class_quote| ics|quoteUrls|time|uri|xml|lower|html_light| obsolete|inactive|closed|unitconvert| - txt|none)\b/x; + txt|html_linebreak|none)\b/x; return 0; } diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl index f50f60737..e3bd3ba8b 100644 --- a/template/en/default/global/code-error.html.tmpl +++ b/template/en/default/global/code-error.html.tmpl @@ -540,7 +540,7 @@ </table> <p>Traceback:</p> -<pre>[% traceback FILTER html FILTER html_linebreak %]</pre> +<pre>[% traceback FILTER html_linebreak %]</pre> [% IF variables %] <pre> diff --git a/template/en/default/global/hidden-fields.html.tmpl b/template/en/default/global/hidden-fields.html.tmpl index 24f15c4f5..c141c6409 100644 --- a/template/en/default/global/hidden-fields.html.tmpl +++ b/template/en/default/global/hidden-fields.html.tmpl @@ -52,7 +52,7 @@ [% ELSE %] [% FOREACH mvalue = cgi.param(field).slice(0) %] <input type="hidden" name="[% field FILTER html %]" - value="[% mvalue FILTER html FILTER html_linebreak %]"> + value="[% mvalue FILTER html_linebreak %]"> [% END %] [% END %] [% END %] |