diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2013-02-18 13:26:51 +0100 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2013-02-18 13:26:51 +0100 |
commit | 11829ac0a3822b246b76c00375c7e4137f9af33b (patch) | |
tree | dafb63ca81d73c8b60448934cd0ae719b366226f /template/en/default | |
parent | 2541a7dcf12529052a710def2e70afc794f4fbff (diff) | |
download | bugzilla-11829ac0a3822b246b76c00375c7e4137f9af33b.tar.gz bugzilla-11829ac0a3822b246b76c00375c7e4137f9af33b.tar.xz |
Bug 842063: HTML injection is possible using the bug alias
r=dkl a=LpSolit
Diffstat (limited to 'template/en/default')
-rw-r--r-- | template/en/default/bug/show-header.html.tmpl | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/template/en/default/bug/show-header.html.tmpl b/template/en/default/bug/show-header.html.tmpl index 54d51dd4f..f67bbf2f8 100644 --- a/template/en/default/bug/show-header.html.tmpl +++ b/template/en/default/bug/show-header.html.tmpl @@ -13,12 +13,14 @@ # be overridden by the calling templates. #%] +[% filtered_alias = bug.alias FILTER html %] [% filtered_desc = bug.short_desc FILTER html %] -[% subheader = filtered_desc %] [% filtered_timestamp = bug.delta_ts FILTER time %] + +[% subheader = filtered_desc %] [% title = "$terms.Bug $bug.bug_id – " %] [% IF bug.alias != '' %] - [% title = title _ "($bug.alias) " %] + [% title = title _ "($filtered_alias) " %] [% END %] [% title = title _ filtered_desc %] [% yui = ['autocomplete', 'calendar'] %] |