summaryrefslogtreecommitdiffstats
path: root/template
diff options
context:
space:
mode:
authorSimon Green <sgreen@redhat.com>2014-10-06 16:49:38 +0200
committerDavid Lawrence <dkl@mozilla.com>2014-10-06 16:49:38 +0200
commitfa954ab78cc60aba43aedb85e2b4f98d56d7bf9d (patch)
tree01b1eeaeeecd240a743cb280e2dbf101ad2aac37 /template
parentf33b119d68d21074d08a6bd72f960319276e182b (diff)
downloadbugzilla-fa954ab78cc60aba43aedb85e2b4f98d56d7bf9d.tar.gz
bugzilla-fa954ab78cc60aba43aedb85e2b4f98d56d7bf9d.tar.xz
Bug 1064140: [SECURITY] Private comments can be shown to flagmail recipients who aren't in the insider group
r=glob,a=glob
Diffstat (limited to 'template')
-rw-r--r--template/en/default/email/flagmail.txt.tmpl13
1 files changed, 8 insertions, 5 deletions
diff --git a/template/en/default/email/flagmail.txt.tmpl b/template/en/default/email/flagmail.txt.tmpl
index d0e1395e2..cf64d9661 100644
--- a/template/en/default/email/flagmail.txt.tmpl
+++ b/template/en/default/email/flagmail.txt.tmpl
@@ -68,11 +68,14 @@ Attachment [% attidsummary %]
[%- FILTER bullet = wrap(80) %]
-[% USE Bugzilla %]
-[%-# .defined is necessary to avoid a taint issue, see bug 509794. %]
-[% IF Bugzilla.cgi.param("comment").defined && Bugzilla.cgi.param("comment").length > 0 %]
-------- Additional Comments from [% user.identity %]
-[%+ Bugzilla.cgi.param("comment") FILTER strip_control_chars %]
+[% FOREACH comment = new_comments %]
+
+[%- IF comment.count %]
+--- Comment #[% comment.count %] from [% comment.author.identity %] ---
+[% ELSE %]
+--- Description ---
+[% END %]
+[%+ comment.body_full({ is_bugmail => 1, wrap => 1 }) FILTER strip_control_chars %]
[% END %]
[%- END %]