diff options
author | Manish Goregaokar <manishearth@gmail.com> | 2014-04-17 18:37:11 +0200 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2014-04-17 18:37:11 +0200 |
commit | 6066ff31980fddc2eb97b987c5bbd1a931495f1e (patch) | |
tree | 2063ecd87ec1588447b0cc8acb5d8831e1fa7510 /Bugzilla/Util.pm | |
parent | e5daf5788336ccbf910ecaf9cf6463ef0ed7081c (diff) | |
download | bugzilla-6066ff31980fddc2eb97b987c5bbd1a931495f1e.tar.gz bugzilla-6066ff31980fddc2eb97b987c5bbd1a931495f1e.tar.xz |
Bug 968576: [SECURITY] Dangerous control characters allowed in Bugzilla text
r=glob a=justdave
Diffstat (limited to 'Bugzilla/Util.pm')
-rw-r--r-- | Bugzilla/Util.pm | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index c2dbdc97d..48507ff9e 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -91,6 +91,10 @@ sub html_quote { # Obscure '@'. $var =~ s/\@/\@/g; if (Bugzilla->params->{'utf8'}) { + # Remove control characters if the encoding is utf8. + # Other multibyte encodings may be using this range; so ignore if not utf8. + $var =~ s/(?![\t\r\n])[[:cntrl:]]//g; + # Remove the following characters because they're # influencing BiDi: # -------------------------------------------------------- |