diff options
author | Dylan Hardison <dylan@mozilla.com> | 2016-02-29 14:23:34 +0100 |
---|---|---|
committer | Dylan Hardison <dylan@mozilla.com> | 2016-02-29 14:31:44 +0100 |
commit | e9b54b1353f5f51c6300d6552c880de0d26863f3 (patch) | |
tree | a6919972cc5962128a83e9b4b1ae4c44f01a73dd /extensions/REMO/web | |
parent | be2d5f9288337f46255b8543e65694ad8a1afe4c (diff) | |
download | bugzilla-e9b54b1353f5f51c6300d6552c880de0d26863f3.tar.gz bugzilla-e9b54b1353f5f51c6300d6552c880de0d26863f3.tar.xz |
Bug 1251647 - XSS vulnerability in the remo-form-payment page
Diffstat (limited to 'extensions/REMO/web')
-rw-r--r-- | extensions/REMO/web/js/payment.js | 85 |
1 files changed, 85 insertions, 0 deletions
diff --git a/extensions/REMO/web/js/payment.js b/extensions/REMO/web/js/payment.js new file mode 100644 index 000000000..a03e611fb --- /dev/null +++ b/extensions/REMO/web/js/payment.js @@ -0,0 +1,85 @@ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. + * + * This Source Code Form is "Incompatible With Secondary Licenses", as + * defined by the Mozilla Public License, v. 2.0. */ + +var bug_cache = {}; + +function validateAndSubmit() { + var alert_text = ''; + if(!isFilledOut('firstname')) alert_text += "Please enter your first name\n"; + if(!isFilledOut('lastname')) alert_text += "Please enter your last name\n"; + if(!isFilledOut('wikiprofile')) alert_text += "Please enter a wiki user profile.\n"; + if(!isFilledOut('wikipage')) alert_text += "Please enter a wiki page address.\n"; + if(!isFilledOut('bug_id')) alert_text += "Please enter a valid bug id to attach this additional information to.\n"; + if(!isFilledOut('expenseform')) alert_text += "Please enter an expense form to upload.\n"; + if(!isFilledOut('receipts')) alert_text += "Please enter a receipts file to upload.\n"; + + if (alert_text) { + alert(alert_text); + return false; + } + + return true; +} + +function getBugInfo (evt) { + var bug_id = parseInt(this.value); + var div = $("#bug_info"); + + if (!bug_id) { + div.text(""); + return true; + } + div.show(); + + if (bug_cache[bug_id]) { + div.text(bug_cache[bug_id]); + return true; + } + + div.text('Getting bug info...'); + + var url = ("rest/bug/" + bug_id + + "?include_fields=product,component,status,summary&Bugzilla_api_token=" + BUGZILLA.api_token); + $.getJSON(url).done(function(data) { + var bug_message = ""; + if (data) { + if (data.bugs[0].product !== 'Mozilla Reps' + || data.bugs[0].component !== 'Budget Requests') + { + bug_message = "You can only attach budget payment " + + "information to bugs under the product " + + "'Mozilla Reps' and component 'Budget Requests'."; + } + else { + bug_message = "Bug " + bug_id + " - " + data.bugs[0].status + + " - " + data.bugs[0].summary; + } + } + else { + bug_message = "Get bug failed: " + data.responseText; + } + div.text(bug_message); + bug_cache[bug_id] = bug_message; + }).fail(function(res, x, y) { + if (res.responseJSON && res.responseJSON.error) { + div.text(res.responseJSON.message); + } + }); + return true; +} + +$(document).ready(function () { + $("#bug_id").blur(getBugInfo); + $("#receivedpayment").change(function() { + if (!$('#receivedpayment').is(':checked')) { + $('#paymentinfo').show(); + } + else { + $('#paymentinfo').hide(); + } + }); +}); |