summaryrefslogtreecommitdiffstats
path: root/template/en/default
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2013-02-18 13:26:51 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2013-02-18 13:26:51 +0100
commit11829ac0a3822b246b76c00375c7e4137f9af33b (patch)
treedafb63ca81d73c8b60448934cd0ae719b366226f /template/en/default
parent2541a7dcf12529052a710def2e70afc794f4fbff (diff)
downloadbugzilla-11829ac0a3822b246b76c00375c7e4137f9af33b.tar.gz
bugzilla-11829ac0a3822b246b76c00375c7e4137f9af33b.tar.xz
Bug 842063: HTML injection is possible using the bug alias
r=dkl a=LpSolit
Diffstat (limited to 'template/en/default')
-rw-r--r--template/en/default/bug/show-header.html.tmpl6
1 files changed, 4 insertions, 2 deletions
diff --git a/template/en/default/bug/show-header.html.tmpl b/template/en/default/bug/show-header.html.tmpl
index 54d51dd4f..f67bbf2f8 100644
--- a/template/en/default/bug/show-header.html.tmpl
+++ b/template/en/default/bug/show-header.html.tmpl
@@ -13,12 +13,14 @@
# be overridden by the calling templates.
#%]
+[% filtered_alias = bug.alias FILTER html %]
[% filtered_desc = bug.short_desc FILTER html %]
-[% subheader = filtered_desc %]
[% filtered_timestamp = bug.delta_ts FILTER time %]
+
+[% subheader = filtered_desc %]
[% title = "$terms.Bug $bug.bug_id &ndash; " %]
[% IF bug.alias != '' %]
- [% title = title _ "($bug.alias) " %]
+ [% title = title _ "($filtered_alias) " %]
[% END %]
[% title = title _ filtered_desc %]
[% yui = ['autocomplete', 'calendar'] %]