summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2012-11-13 18:53:55 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2012-11-13 18:53:55 +0100
commitaecf0a17d1689d957bc8854e55e499839798446f (patch)
tree8fa84413d8d053e609b5e4b192011f99808b01de
parent58f2aa2c8e2c87d17eef378f357ddd77ba60f1c0 (diff)
downloadbugzilla-aecf0a17d1689d957bc8854e55e499839798446f.tar.gz
bugzilla-aecf0a17d1689d957bc8854e55e499839798446f.tar.xz
Bug 790296 (CVE-2012-4189): [SECURITY] Field values are not escaped correctly in tabular reports
r=dkl a=LpSolit
-rwxr-xr-xreport.cgi2
-rw-r--r--template/en/default/reports/report-table.html.tmpl2
2 files changed, 2 insertions, 2 deletions
diff --git a/report.cgi b/report.cgi
index de587f143..e70dcf4b2 100755
--- a/report.cgi
+++ b/report.cgi
@@ -387,5 +387,5 @@ sub get_field_restrictions {
my $field = shift;
my $cgi = Bugzilla->cgi;
- return join('&', map {"$field=$_"} $cgi->param($field));
+ return join('&amp;', map {url_quote($field) . '=' . url_quote($_)} $cgi->param($field));
}
diff --git a/template/en/default/reports/report-table.html.tmpl b/template/en/default/reports/report-table.html.tmpl
index 0e6193c25..466a87d9f 100644
--- a/template/en/default/reports/report-table.html.tmpl
+++ b/template/en/default/reports/report-table.html.tmpl
@@ -85,7 +85,7 @@ YAHOO.util.Event.addListener(window, "load", function() {
var myColumnDefs = [
{key:"row_title", label:"", sortable:true, sortOptions: { sortFunction:totalNumberSorter }},
[% FOREACH col = col_names %]
- {key:"[% col FILTER js %]", label:"[% display_value(col_field, col) FILTER js %]", sortable:true,
+ {key:"[% col FILTER js %]", label:"[% display_value(col_field, col) FILTER html FILTER js %]", sortable:true,
formatter:this.Linkify, sortOptions: { defaultDir: YAHOO.widget.DataTable.CLASS_DESC, sortFunction:totalNumberSorter }},
[% END %]
{key:"total", label:"Total", sortable:true, formatter:this.LinkifyTotal,