summaryrefslogtreecommitdiffstats
path: root/extensions/REMO/web
diff options
context:
space:
mode:
authorDylan Hardison <dylan@mozilla.com>2016-02-29 14:23:34 +0100
committerDylan Hardison <dylan@mozilla.com>2016-02-29 14:31:44 +0100
commite9b54b1353f5f51c6300d6552c880de0d26863f3 (patch)
treea6919972cc5962128a83e9b4b1ae4c44f01a73dd /extensions/REMO/web
parentbe2d5f9288337f46255b8543e65694ad8a1afe4c (diff)
downloadbugzilla-e9b54b1353f5f51c6300d6552c880de0d26863f3.tar.gz
bugzilla-e9b54b1353f5f51c6300d6552c880de0d26863f3.tar.xz
Bug 1251647 - XSS vulnerability in the remo-form-payment page
Diffstat (limited to 'extensions/REMO/web')
-rw-r--r--extensions/REMO/web/js/payment.js85
1 files changed, 85 insertions, 0 deletions
diff --git a/extensions/REMO/web/js/payment.js b/extensions/REMO/web/js/payment.js
new file mode 100644
index 000000000..a03e611fb
--- /dev/null
+++ b/extensions/REMO/web/js/payment.js
@@ -0,0 +1,85 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * This Source Code Form is "Incompatible With Secondary Licenses", as
+ * defined by the Mozilla Public License, v. 2.0. */
+
+var bug_cache = {};
+
+function validateAndSubmit() {
+ var alert_text = '';
+ if(!isFilledOut('firstname')) alert_text += "Please enter your first name\n";
+ if(!isFilledOut('lastname')) alert_text += "Please enter your last name\n";
+ if(!isFilledOut('wikiprofile')) alert_text += "Please enter a wiki user profile.\n";
+ if(!isFilledOut('wikipage')) alert_text += "Please enter a wiki page address.\n";
+ if(!isFilledOut('bug_id')) alert_text += "Please enter a valid bug id to attach this additional information to.\n";
+ if(!isFilledOut('expenseform')) alert_text += "Please enter an expense form to upload.\n";
+ if(!isFilledOut('receipts')) alert_text += "Please enter a receipts file to upload.\n";
+
+ if (alert_text) {
+ alert(alert_text);
+ return false;
+ }
+
+ return true;
+}
+
+function getBugInfo (evt) {
+ var bug_id = parseInt(this.value);
+ var div = $("#bug_info");
+
+ if (!bug_id) {
+ div.text("");
+ return true;
+ }
+ div.show();
+
+ if (bug_cache[bug_id]) {
+ div.text(bug_cache[bug_id]);
+ return true;
+ }
+
+ div.text('Getting bug info...');
+
+ var url = ("rest/bug/" + bug_id +
+ "?include_fields=product,component,status,summary&Bugzilla_api_token=" + BUGZILLA.api_token);
+ $.getJSON(url).done(function(data) {
+ var bug_message = "";
+ if (data) {
+ if (data.bugs[0].product !== 'Mozilla Reps'
+ || data.bugs[0].component !== 'Budget Requests')
+ {
+ bug_message = "You can only attach budget payment " +
+ "information to bugs under the product " +
+ "'Mozilla Reps' and component 'Budget Requests'.";
+ }
+ else {
+ bug_message = "Bug " + bug_id + " - " + data.bugs[0].status +
+ " - " + data.bugs[0].summary;
+ }
+ }
+ else {
+ bug_message = "Get bug failed: " + data.responseText;
+ }
+ div.text(bug_message);
+ bug_cache[bug_id] = bug_message;
+ }).fail(function(res, x, y) {
+ if (res.responseJSON && res.responseJSON.error) {
+ div.text(res.responseJSON.message);
+ }
+ });
+ return true;
+}
+
+$(document).ready(function () {
+ $("#bug_id").blur(getBugInfo);
+ $("#receivedpayment").change(function() {
+ if (!$('#receivedpayment').is(':checked')) {
+ $('#paymentinfo').show();
+ }
+ else {
+ $('#paymentinfo').hide();
+ }
+ });
+});