summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authormkanat%bugzilla.org <>2006-09-22 08:19:03 +0200
committermkanat%bugzilla.org <>2006-09-22 08:19:03 +0200
commit6c0f16ffbf7b39da24ded73e17fd2fc0ea4e1a75 (patch)
tree01b6bc59ac81cec31c465487b6283645e6567984
parentc4840b684916affdf475076faa5ad698d5dc54b5 (diff)
downloadbugzilla-6c0f16ffbf7b39da24ded73e17fd2fc0ea4e1a75.tar.gz
bugzilla-6c0f16ffbf7b39da24ded73e17fd2fc0ea4e1a75.tar.xz
Bug 351994: Messages shouldn't contain HTML characters unless we're in USAGE_MODE_BROWSER
Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=ghendricks, a=myk
-rw-r--r--Bugzilla/Template.pm16
-rw-r--r--t/008filter.t2
-rw-r--r--template/en/default/global/code-error.html.tmpl6
-rw-r--r--template/en/default/global/message.txt.tmpl2
-rw-r--r--template/en/default/global/user-error.html.tmpl6
5 files changed, 28 insertions, 4 deletions
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index b54c4a0f2..7149828ef 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -760,6 +760,22 @@ sub create {
1
],
+ # Note that using this filter is even more dangerous than
+ # using "none," and you should only use it when you're SURE
+ # the output won't be displayed directly to a web browser.
+ txt => sub {
+ my ($var) = @_;
+ # Trivial HTML tag remover
+ $var =~ s/<[^>]*>//g;
+ # And this basically reverses the html filter.
+ $var =~ s/\&#64;/@/g;
+ $var =~ s/\&lt;/</g;
+ $var =~ s/\&gt;/>/g;
+ $var =~ s/\&quot;/\"/g;
+ $var =~ s/\&amp;/\&/g;
+ return $var;
+ },
+
# Wrap a displayed comment to the appropriate length
wrap_comment => \&Bugzilla::Util::wrap_comment,
diff --git a/t/008filter.t b/t/008filter.t
index 02d4d4a7e..66f4b7c97 100644
--- a/t/008filter.t
+++ b/t/008filter.t
@@ -225,7 +225,7 @@ sub directive_ok {
return 1 if $directive =~ /FILTER\ (html|csv|js|base64|url_quote|css_class_quote|
ics|quoteUrls|time|uri|xml|lower|
obsolete|inactive|closed|unitconvert|
- none)\b/x;
+ txt|none)\b/x;
return 0;
}
diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index 63ce0ffab..f6ccae754 100644
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -434,7 +434,11 @@
[%# We only want HTML error messages for ERROR_MODE_WEBPAGE %]
[% USE Bugzilla %]
[% IF Bugzilla.error_mode != constants.ERROR_MODE_WEBPAGE %]
- [% error_message FILTER none %]
+ [% IF Bugzilla.usage_mode == constants.USAGE_MODE_BROWSER %]
+ [% error_message FILTER none %]
+ [% ELSE %]
+ [% error_message FILTER txt %]
+ [% END %]
[% RETURN %]
[% END %]
diff --git a/template/en/default/global/message.txt.tmpl b/template/en/default/global/message.txt.tmpl
index fc0ec1977..e8ec1e510 100644
--- a/template/en/default/global/message.txt.tmpl
+++ b/template/en/default/global/message.txt.tmpl
@@ -23,4 +23,4 @@
[%# Yes, this may show some HTML. But it's the best we
# can do at the moment. %]
[% PROCESS global/messages.html.tmpl %]
-[% message %]
+[% message FILTER txt %]
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index a9706376b..646da5f75 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1483,7 +1483,11 @@
[%# We only want HTML error messages for ERROR_MODE_WEBPAGE %]
[% USE Bugzilla %]
[% IF Bugzilla.error_mode != constants.ERROR_MODE_WEBPAGE %]
- [% error_message FILTER none %]
+ [% IF Bugzilla.usage_mode == constants.USAGE_MODE_BROWSER %]
+ [% error_message FILTER none %]
+ [% ELSE %]
+ [% error_message FILTER txt %]
+ [% END %]
[% RETURN %]
[% END %]