diff options
author | justdave%syndicomm.com <> | 2003-04-25 05:49:27 +0200 |
---|---|---|
committer | justdave%syndicomm.com <> | 2003-04-25 05:49:27 +0200 |
commit | 29021b187f042f023584dd3986c086ca68bef0a2 (patch) | |
tree | d6c1c7c114ffe92462ef4f1817c6a87f18e4141c /template/en/default/global | |
parent | 2fac94504175f4964ad254f07e184e00e10eef08 (diff) | |
download | bugzilla-29021b187f042f023584dd3986c086ca68bef0a2.tar.gz bugzilla-29021b187f042f023584dd3986c086ca68bef0a2.tar.xz |
Bug 192677: Add new test to flag failure-to-filter situations in the templates, and correct the XSS holes that were discovered as a
result of it.
Patch by Gervase Markham <gerv@mozilla.org>
r= myk, bbaetz, justdave
a= justdave
Diffstat (limited to 'template/en/default/global')
5 files changed, 12 insertions, 7 deletions
diff --git a/template/en/default/global/choose-product.html.tmpl b/template/en/default/global/choose-product.html.tmpl index de0ca0be7..e79f7820d 100644 --- a/template/en/default/global/choose-product.html.tmpl +++ b/template/en/default/global/choose-product.html.tmpl @@ -41,7 +41,7 @@ <tr> <th align="right" valign="top"> <a href="[% target %]?product=[% p FILTER url_quote %] - [%- "&format=$format" IF format %]"> + [% IF format %]&format=[% format FILTER url_quote %][% END %]"> [% p FILTER html %]</a>: </th> diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl index b35bbb064..92836f4db 100644 --- a/template/en/default/global/code-error.html.tmpl +++ b/template/en/default/global/code-error.html.tmpl @@ -86,7 +86,7 @@ [% ELSIF error == "field_type_mismatch" %] Cannot seem to handle <code>[% field %]</code> - and <code>[% type %]</code> together. + and <code>[% type FILTER html %]</code> together. [% ELSIF error == "gd_not_installed" %] Charts will not work without the GD Perl module being installed. diff --git a/template/en/default/global/hidden-fields.html.tmpl b/template/en/default/global/hidden-fields.html.tmpl index f968fab20..a824c3489 100644 --- a/template/en/default/global/hidden-fields.html.tmpl +++ b/template/en/default/global/hidden-fields.html.tmpl @@ -32,11 +32,11 @@ [% NEXT IF exclude && field.key.search(exclude) %] [% IF mform.${field.key}.size > 1 %] [% FOREACH mvalue = mform.${field.key} %] - <input type="hidden" name="[% field.key %]" + <input type="hidden" name="[% field.key FILTER html %]" value="[% mvalue | html | html_linebreak %]"> [% END %] [% ELSE %] - <input type="hidden" name="[% field.key %]" + <input type="hidden" name="[% field.key FILTER html %]" value="[% field.value | html | html_linebreak %]"> [% END %] [% END %] diff --git a/template/en/default/global/message.html.tmpl b/template/en/default/global/message.html.tmpl index f6cb321c6..58cd56908 100644 --- a/template/en/default/global/message.html.tmpl +++ b/template/en/default/global/message.html.tmpl @@ -34,7 +34,7 @@ [%# Display a URL if the calling script or message block has included one. %] [% IF url && link %] <p> - <a href="[% url %]">[% link %]</a> + <a href="[% url FILTER html %]">[% link FILTER html %]</a> </p> [% END %] diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index fe1d9e223..934c0511f 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -235,7 +235,7 @@ [% ELSIF error == "illegal_date" %] [% title = "Your Query Makes No Sense" %] - '<tt>[% date %]</tt>' is not a legal date. + '<tt>[% date FILTER html %]</tt>' is not a legal date. [% ELSIF error == "illegal_email_address" %] [% title = "Invalid Email Address" %] @@ -290,6 +290,11 @@ in your browser. To help us fix this limitation, add your comments to <a href="http://bugzilla.mozilla.org/show_bug.cgi?id=70907">bug 70907</a>. + [% ELSIF error == "invalid_changedsince" %] + [% title = "Invalid 'Changed Since'" %] + The 'changed since' value, '[% changedsince FILTER html %]', must be an + integer >= 0. + [% ELSIF error == "invalid_content_type" %] [% title = "Invalid Content-Type" %] The content type <em>[% contenttype FILTER html %]</em> is invalid. @@ -355,7 +360,7 @@ [% ELSIF error == "missing_email_type" %] [% title = "Your Query Makes No Sense" %] You must specify one or more fields in which to search for - <tt>[% email %]</tt>. + <tt>[% email FILTER html %]</tt>. [% ELSIF error == "missing_query" %] [% title = "Missing Query" %] |