diff options
author | Dylan Hardison <dylan@mozilla.com> | 2015-12-22 19:34:38 +0100 |
---|---|---|
committer | Dylan Hardison <dylan@mozilla.com> | 2015-12-22 19:37:03 +0100 |
commit | 34f8910f2b22ada382d191052f70a7427c88f95a (patch) | |
tree | 1f7e8065e3c8812a4e1ea0499214e1ff09e683bb /Bugzilla | |
parent | e69201a466d40d563d3c28a599c1569cfca9b471 (diff) | |
download | bugzilla-34f8910f2b22ada382d191052f70a7427c88f95a.tar.gz bugzilla-34f8910f2b22ada382d191052f70a7427c88f95a.tar.xz |
Bug 1232785 - [SECURITY] Buglists in CSV format can be parsed as valid javascript in some browsers
r=dkl,a=dkl
Diffstat (limited to 'Bugzilla')
-rw-r--r-- | Bugzilla/Template.pm | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index ef45cb313..04abe8200 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -859,6 +859,9 @@ sub create { { my ($var) = @_; $var = ' ' . $var if substr($var, 0, 1) eq '='; + # backslash is not special to CSV, but it can be used to confuse some browsers... + # so we do not allow it to happen. We only do this for logged-in users. + $var =~ s/\\/\x{FF3C}/g if Bugzilla->user->id; $var =~ s/\"/\"\"/g; if ($var !~ /^-?(\d+\.)?\d*$/) { $var = "\"$var\""; |