Bug 1252437 - XSS vulnerability through malicious bug aliases

author: Dylan Hardison <dylan@mozilla.com> 2016-03-01 15:48:31 +0100
committer: Dylan Hardison <dylan@mozilla.com> 2016-03-01 15:48:31 +0100
commit: 33c79b8bd53b084122b95d8863d776cc6f4a2ad7 (patch)
tree: 600ea70c62624648215bc37e56b97261eb7a4ecc /extensions/BugModal
parent: 8ce105347fda12b58424f8fb21cfc7a9bd7e2431 (diff)
download: bugzilla-33c79b8bd53b084122b95d8863d776cc6f4a2ad7.tar.gz
bugzilla-33c79b8bd53b084122b95d8863d776cc6f4a2ad7.tar.xz
1 files changed, 2 insertions, 1 deletions
diff --git a/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl b/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl
index 361b9ec9d..f70e77bb1 100644
--- a/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl
+++ b/extensions/BugModal/template/en/default/bug_modal/header.html.tmpl
@@ -15,7 +15,8 @@
   END;
   title = "$bug.bug_id - ";
   IF bug.alias;
-    title = title _ "($bug.alias) ";
+    filtered_alias = bug.alias FILTER html;
+    title = title _ "($filtered_alias) ";
   END;
   unfiltered_title = title _ bug.short_desc;
   filtered_desc = bug.short_desc FILTER html;
author	Dylan Hardison <dylan@mozilla.com>	2016-03-01 15:48:31 +0100
committer	Dylan Hardison <dylan@mozilla.com>	2016-03-01 15:48:31 +0100
commit	33c79b8bd53b084122b95d8863d776cc6f4a2ad7 (patch)
tree	600ea70c62624648215bc37e56b97261eb7a4ecc /extensions/BugModal
parent	8ce105347fda12b58424f8fb21cfc7a9bd7e2431 (diff)
download	bugzilla-33c79b8bd53b084122b95d8863d776cc6f4a2ad7.tar.gz bugzilla-33c79b8bd53b084122b95d8863d776cc6f4a2ad7.tar.xz