diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2013-10-16 19:24:08 +0200 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2013-10-16 19:24:08 +0200 |
commit | 1176b66a72d6b480f739737da5059896e455ae2b (patch) | |
tree | 68539478f63553d66cdb81173f43e8c62086a977 /template/en/default/reports | |
parent | 94e43ad559cf6e53b39730d3f4050920ffc69ae3 (diff) | |
download | bugzilla-1176b66a72d6b480f739737da5059896e455ae2b.tar.gz bugzilla-1176b66a72d6b480f739737da5059896e455ae2b.tar.xz |
Bug 924932: (CVE-2013-1743) [SECURITY] Field values are not escaped correctly in tabular reports
r=dkl a=glob
Diffstat (limited to 'template/en/default/reports')
-rw-r--r-- | template/en/default/reports/report-table.html.tmpl | 38 |
1 files changed, 24 insertions, 14 deletions
diff --git a/template/en/default/reports/report-table.html.tmpl b/template/en/default/reports/report-table.html.tmpl index 466a87d9f..2747166be 100644 --- a/template/en/default/reports/report-table.html.tmpl +++ b/template/en/default/reports/report-table.html.tmpl @@ -30,32 +30,42 @@ [% END %] <script type="text/javascript"> +function bz_encode (str, decode) { + // First decode HTML entities, if requested. + if (decode) + str = str.replace(/</g, "<").replace(/>/g, ">").replace(/"/g, '"') + .replace(/ /g, " ").replace(/&/g, "&").replace(/\s+$/,""); + + // encodeURIComponent() doesn't escape single quotes. + return encodeURIComponent(str).replace(/'/g, escape); +}; + YAHOO.util.Event.addListener(window, "load", function() { this.Linkify = function(elLiner, oRecord, oColumn, oData) { if (oData == 0) elLiner.innerHTML = "."; else if (oRecord.getData("row_title") == "Total") - elLiner.innerHTML = "<a href='[% urlbase %]&[% col_field FILTER js %]=" - + oColumn.field + "[% '&' _ row_vals IF row_vals %]'>" - + oData + "</a>"; + elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&[% col_field FILTER uri FILTER js %]=' + + bz_encode(oColumn.field) + + '[% "&" _ row_vals IF row_vals %]">' + oData + '</a>'; else - elLiner.innerHTML = "<a href='[% urlbase %]&[% row_field FILTER js %]=" - + oRecord.getData("row_title").replace(/\s+$/,"") - + "&[% col_field FILTER js %]=" + oColumn.field - + "'>" + oData + "</a>"; + elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&[% row_field FILTER uri FILTER js %]=' + + bz_encode(oRecord.getData("row_title"), 1) + + '&[% col_field FILTER uri FILTER js %]=' + + bz_encode(oColumn.field) + '">' + oData + '</a>'; }; this.LinkifyTotal = function(elLiner, oRecord, oColumn, oData) { if (oData == 0) elLiner.innerHTML = "."; else if (oRecord.getData("row_title") == "Total") - elLiner.innerHTML = "<a href='[% urlbase %][% '&' _ row_vals IF row_vals %] - [%~ '&' _ col_vals IF col_vals %]'>" - + oData + "</a>"; + elLiner.innerHTML = '<a href="[% urlbase FILTER js %][% "&" _ row_vals IF row_vals %] + [%~ "&" _ col_vals IF col_vals %]">' + + oData + '</a>'; else - elLiner.innerHTML = "<a href='[% urlbase %]&[% row_field FILTER js %]=" - + oRecord.getData("row_title").replace(/\s+$/,"") - + "[% '&' _ col_vals IF col_vals %]'>" + oData + "</a>"; + elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&[% row_field FILTER uri FILTER js %]=' + + bz_encode(oRecord.getData("row_title"), 1) + + '[% "&" _ col_vals IF col_vals %]">' + oData + '</a>'; YAHOO.util.Dom.addClass(elLiner.parentNode, "ttotal"); }; @@ -147,7 +157,7 @@ YAHOO.util.Event.addListener(window, "load", function() { [% col_idx = 0 %] [% row_idx = 0 %] [% grand_total = 0 %] -<div id="tabular_report_container_[% tbl FILTER js %]"> +<div id="tabular_report_container_[% tbl FILTER html %]"> <table id="tabular_report" border="1"> [% IF col_field %] <thead> |