Bug 207044 - Filter more template directives. None of these are security bugs, but they need fixing anyway. Patch by gerv; r,a=justdave.

2 files changed, 6 insertions, 2 deletions

diff --git a/template/en/default/list/change-columns.html.tmpl b/template/en/default/list/change-columns.html.tmpl
index 61ff34dd7..d49a152c8 100644
--- a/template/en/default/list/change-columns.html.tmpl
+++ b/template/en/default/list/change-columns.html.tmpl
@@ -42,7 +42,9 @@
   [% FOREACH column = masterlist %]
     <input type="checkbox" id="[% column %]" name="column_[% column %]"
       [% "checked='checked'" IF lsearch(collist, column) != -1 %]>
-    <label for="[% column %]">[% field_descs.${column} || column %]</label>
+    <label for="[% column %]">
+      [% (field_descs.${column} || column) FILTER html %]
+    </label>
     <br>
   [% END %]
 
diff --git a/template/en/default/list/list.html.tmpl b/template/en/default/list/list.html.tmpl
index f02d92904..a61bdef98 100644
--- a/template/en/default/list/list.html.tmpl
+++ b/template/en/default/list/list.html.tmpl
@@ -149,7 +149,9 @@
     [% END %]
 
     [% IF bugowners %]
-      <a href="mailto:[% bugowners %]">Send Mail to [% terms.Bug %] Owners</a> &nbsp;&nbsp;
+      <a href="mailto:[% bugowners FILTER html %]">Send 
+      Mail to [% terms.Bug %] Owners</a> 
+      &nbsp;&nbsp;
     [% END %]
 
     <a href="query.cgi?