diff options
author | lpsolit%gmail.com <> | 2006-10-15 05:26:50 +0200 |
---|---|---|
committer | lpsolit%gmail.com <> | 2006-10-15 05:26:50 +0200 |
commit | b1ef63e5bfc0d3995245b42154686db1400b2c22 (patch) | |
tree | 0db4955b3303c2e5565d6e97e8fac62c63147117 /Bugzilla/Template.pm | |
parent | 40aae68e1263b9677285473a9205cef378b451c0 (diff) | |
download | bugzilla-b1ef63e5bfc0d3995245b42154686db1400b2c22.tar.gz bugzilla-b1ef63e5bfc0d3995245b42154686db1400b2c22.tar.xz |
Bug 206037: [SECURITY] Fix escaping/quoting in edit*.cgi scripts - Patch by Frédéric Buclin <LpSolit@gmail.com> r=justdave a=justdave
Diffstat (limited to 'Bugzilla/Template.pm')
-rw-r--r-- | Bugzilla/Template.pm | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 7149828ef..915e3cdc6 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -289,7 +289,8 @@ sub quoteUrls { ~egox; # non-mailto protocols - my $protocol_re = qr/(afs|cid|ftp|gopher|http|https|irc|mid|news|nntp|prospero|telnet|view-source|wais)/i; + my $safe_protocols = join('|', SAFE_PROTOCOLS); + my $protocol_re = qr/($safe_protocols)/i; $text =~ s~\b(${protocol_re}: # The protocol: [^\s<>\"]+ # Any non-whitespace @@ -734,7 +735,9 @@ sub create { } return $var; }, - + + html_light => \&Bugzilla::Util::html_light_quote, + # iCalendar contentline filter ics => [ sub { my ($context, @args) = @_; |