diff options
| author | Manish Goregaokar <manishearth@gmail.com> | 2014-04-17 18:27:05 +0200 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2014-04-17 18:27:05 +0200 |
| commit | 58b92d3b0245f6565a7ff34e78fce1e9ec56b355 (patch) | |
| tree | 5b66f0684021f72559184c04a0a4f8294f863582 /Bugzilla/Util.pm | |
| parent | 0e390970ba51b14a5dc780be7c6f0d6d7baa67e3 (diff) | |
| download | bugzilla-58b92d3b0245f6565a7ff34e78fce1e9ec56b355.tar.gz bugzilla-58b92d3b0245f6565a7ff34e78fce1e9ec56b355.tar.xz | |
Bug 968576: [SECURITY] Dangerous control characters allowed in Bugzilla text
r=glob a=justdave
Diffstat (limited to 'Bugzilla/Util.pm')
| -rw-r--r-- | Bugzilla/Util.pm | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index 5f359c38c..9bcb6962d 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -75,6 +75,10 @@ sub html_quote { state $use_utf8 = Bugzilla->params->{'utf8'}; if ($use_utf8) { + # Remove control characters if the encoding is utf8. + # Other multibyte encodings may be using this range; so ignore if not utf8. + $var =~ s/(?![\t\r\n])[[:cntrl:]]//g; + # Remove the following characters because they're # influencing BiDi: # -------------------------------------------------------- |