Bug 206037: [SECURITY] Fix escaping/quoting in edit*.cgi scripts - Patch by Frédéric Buclin <LpSolit@gmail.com> r=justdave a=justdave

2 files changed, 4 insertions, 4 deletions

diff --git a/template/en/default/reports/components.html.tmpl b/template/en/default/reports/components.html.tmpl
index 1e9065a78..d135a7ef8 100644
--- a/template/en/default/reports/components.html.tmpl
+++ b/template/en/default/reports/components.html.tmpl
@@ -36,7 +36,7 @@
 [% END %]
 
 <p>
-  [% product.description FILTER none %]
+  [% product.description FILTER html_light %]
 </p>
 
 <table>
@@ -87,7 +87,7 @@
   </tr>
   <tr>
     <td colspan="[% numcols - 1 %]">
-      [% comp.description FILTER none %]
+      [% comp.description FILTER html_light %]
     </td>
   </tr>
 [% END %]
diff --git a/template/en/default/reports/keywords.html.tmpl b/template/en/default/reports/keywords.html.tmpl
index 979c50163..1a0ae0bf5 100644
--- a/template/en/default/reports/keywords.html.tmpl
+++ b/template/en/default/reports/keywords.html.tmpl
@@ -24,7 +24,7 @@
   # keywords: array keyword objects. May be empty. Each has has four members:
   #   id: id of the keyword
   #   name: the name of the keyword
-  #   description: keyword description. May be HTML.
+  #   description: keyword description. Can contain some limited HTML code.
   #   bug_count: number of bugs with that keyword
   # caneditkeywords: boolean. True if this user can edit keywords
  %]
@@ -55,7 +55,7 @@
       <a name="[% keyword.name FILTER html %]">
         [% keyword.name FILTER html %]</a>
     </th>
-    <td>[% keyword.description %]</td>
+    <td>[% keyword.description FILTER html_light %]</td>
     <td align="center">
       [% IF keyword.bug_count > 0 %]
         <a href="buglist.cgi?keywords=[% keyword.name FILTER url_quote %]&amp;resolution=---">