summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Bugzilla/Template.pm5
-rwxr-xr-xchecksetup.pl1
-rw-r--r--t/004template.t1
-rw-r--r--t/008filter.t2
-rw-r--r--template/en/default/account/prefs/account.html.tmpl4
-rw-r--r--template/en/default/account/prefs/email.html.tmpl3
-rw-r--r--template/en/default/admin/flag-type/confirm-delete.html.tmpl2
-rw-r--r--template/en/default/admin/flag-type/edit.html.tmpl17
-rw-r--r--template/en/default/admin/flag-type/list.html.tmpl2
-rw-r--r--template/en/default/attachment/list.html.tmpl6
-rw-r--r--template/en/default/bug/activity/table.html.tmpl2
-rw-r--r--template/en/default/bug/create/create-guided.html.tmpl3
-rw-r--r--template/en/default/bug/create/create.html.tmpl3
-rw-r--r--template/en/default/bug/dependency-tree.html.tmpl44
-rw-r--r--template/en/default/bug/process/bugmail.html.tmpl4
-rw-r--r--template/en/default/bug/process/verify-new-product.html.tmpl6
-rw-r--r--template/en/default/bug/show-multiple.html.tmpl4
-rw-r--r--template/en/default/bug/votes/list-for-user.html.tmpl2
-rw-r--r--template/en/default/filterexceptions.pl127
-rw-r--r--template/en/default/global/code-error.html.tmpl39
-rw-r--r--template/en/default/global/confirm-user-match.html.tmpl6
-rw-r--r--template/en/default/global/messages.html.tmpl19
-rw-r--r--template/en/default/global/select-menu.html.tmpl2
-rw-r--r--template/en/default/global/useful-links.html.tmpl3
-rw-r--r--template/en/default/global/user-error.html.tmpl78
-rw-r--r--template/en/default/list/change-columns.html.tmpl4
-rw-r--r--template/en/default/list/list.html.tmpl4
-rw-r--r--template/en/default/reports/components.html.tmpl8
-rw-r--r--template/en/default/reports/duplicates-simple.html.tmpl2
-rw-r--r--template/en/default/reports/duplicates-table.html.tmpl25
-rw-r--r--template/en/default/reports/report-table.csv.tmpl13
-rw-r--r--template/en/default/reports/report-table.html.tmpl2
-rw-r--r--template/en/default/reports/report.html.tmpl16
-rw-r--r--template/en/default/search/form.html.tmpl2
-rw-r--r--template/en/default/search/knob.html.tmpl2
-rw-r--r--template/en/default/search/search-report-graph.html.tmpl2
-rw-r--r--template/en/default/search/search-report-table.html.tmpl2
37 files changed, 207 insertions, 260 deletions
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index 2cb017d17..06be9243c 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -256,6 +256,11 @@ sub create {
$var =~ s/\@/\@/g;
return $var;
},
+
+ # We force filtering of every variable in key security-critical
+ # places; we have a none filter for people to use when they
+ # really, really don't want a variable to be changed.
+ none => sub { return $_[0]; } ,
},
PLUGIN_BASE => 'Bugzilla::Template::Plugin',
diff --git a/checksetup.pl b/checksetup.pl
index b7cffb05d..4f7985d9a 100755
--- a/checksetup.pl
+++ b/checksetup.pl
@@ -1078,6 +1078,7 @@ END
csv => sub { return $_; },
time => sub { return $_; },
obscure_email => sub { return $_; },
+ none => sub { return $_; } ,
},
}) || die ("Could not create Template Provider: "
. Template::Provider->error() . "\n");
diff --git a/t/004template.t b/t/004template.t
index 725241426..78d58edd5 100644
--- a/t/004template.t
+++ b/t/004template.t
@@ -99,6 +99,7 @@ foreach my $include_path (@include_paths) {
csv => sub { return $_ } ,
time => sub { return $_ } ,
obscure_email => sub { return $_ } ,
+ none => sub { return $_ } ,
},
}
);
diff --git a/t/008filter.t b/t/008filter.t
index 3bf7f3fd1..8b8b36d5c 100644
--- a/t/008filter.t
+++ b/t/008filter.t
@@ -199,7 +199,7 @@ sub directive_ok {
# Note: If a single directive prints two things, and only one is
# filtered, we may not catch that case.
return 1 if $directive =~ /FILTER\ (html|csv|js|url_quote|css_class_quote|
- quoteUrls|time|uri|xml|lower)/x;
+ quoteUrls|time|uri|xml|lower|none)/x;
return 0;
}
diff --git a/template/en/default/account/prefs/account.html.tmpl b/template/en/default/account/prefs/account.html.tmpl
index 798bb8e40..70190048a 100644
--- a/template/en/default/account/prefs/account.html.tmpl
+++ b/template/en/default/account/prefs/account.html.tmpl
@@ -74,7 +74,7 @@
</tr>
<tr>
<th align="right">Change request expires:</th>
- <td>[% login_change_date %]</td>
+ <td>[% login_change_date FILTER time %]</td>
</tr>
[% ELSE %]
<tr>
@@ -83,7 +83,7 @@
</tr>
<tr>
<th align="right">Completion date:</th>
- <td>[% login_change_date %]</td>
+ <td>[% login_change_date FILTER time %]</td>
</tr>
[% END %]
[% ELSE %]
diff --git a/template/en/default/account/prefs/email.html.tmpl b/template/en/default/account/prefs/email.html.tmpl
index fa6295e72..24853a726 100644
--- a/template/en/default/account/prefs/email.html.tmpl
+++ b/template/en/default/account/prefs/email.html.tmpl
@@ -57,7 +57,8 @@
<tr>
<th align="right">Users to watch:</th>
<td>
- <input size="35" name="watchedusers" value="[% watchedusers %]">
+ <input size="35" name="watchedusers"
+ value="[% watchedusers FILTER html %]">
</td>
</tr>
[% END %]
diff --git a/template/en/default/admin/flag-type/confirm-delete.html.tmpl b/template/en/default/admin/flag-type/confirm-delete.html.tmpl
index 6bf1ca43f..ddd99d7ca 100644
--- a/template/en/default/admin/flag-type/confirm-delete.html.tmpl
+++ b/template/en/default/admin/flag-type/confirm-delete.html.tmpl
@@ -29,7 +29,7 @@
%]
<p>
- There are [% flag_count %] flags of type [% name %].
+ There are [% flag_count %] flags of type [% name FILTER html %].
If you delete this type, those flags will also be deleted. Note that
instead of deleting the type you can
<a href="editflagtypes.cgi?action=deactivate&amp;id=[% flag_type.id %]">deactivate it</a>,
diff --git a/template/en/default/admin/flag-type/edit.html.tmpl b/template/en/default/admin/flag-type/edit.html.tmpl
index a56c3bb65..58519466d 100644
--- a/template/en/default/admin/flag-type/edit.html.tmpl
+++ b/template/en/default/admin/flag-type/edit.html.tmpl
@@ -67,10 +67,10 @@
<input type="hidden" name="id" value="[% type.id %]">
<input type="hidden" name="target_type" value="[% type.target_type %]">
[% FOREACH category = type.inclusions %]
- <input type="hidden" name="inclusions" value="[% category %]">
+ <input type="hidden" name="inclusions" value="[% category FILTER html %]">
[% END %]
[% FOREACH category = type.exclusions %]
- <input type="hidden" name="exclusions" value="[% category %]">
+ <input type="hidden" name="exclusions" value="[% category FILTER html %]">
[% END %]
<table id="form" cellspacing="0" cellpadding="4" border="0">
@@ -105,13 +105,17 @@
<select name="product" onchange="selectProduct(this.form, 'product', 'component', '__Any__');">
<option value="">__Any__</option>
[% FOREACH item = products %]
- <option value="[% item %]" [% "selected" IF type.product.name == item %]>[% item %]</option>
+ <option value="[% item FILTER html %]"
+ [% "selected" IF type.product.name == item %]>
+ [% item FILTER html %]</option>
[% END %]
</select><br>
<select name="component">
<option value="">__Any__</option>
[% FOREACH item = components %]
- <option value="[% item %]" [% "selected" IF type.component.name == item %]>[% item %]</option>
+ <option value="[% item FILTER html %]"
+ [% "selected" IF type.component.name == item %]>
+ [% item FILTER html %]</option>
[% END %]
</select><br>
<input type="submit" name="categoryAction" value="Include">
@@ -186,7 +190,10 @@
<tr>
<th></th>
<td>
- <input type="submit" value="[% (last_action == "enter" || last_action == "copy") ? "Create" : "Save Changes" %]">
+ <input type="submit" value="
+ [% IF (last_action == "enter" || last_action == "copy") %]Create
+ [% ELSE %]Save Changes
+ [% END %]">
</td>
</tr>
diff --git a/template/en/default/admin/flag-type/list.html.tmpl b/template/en/default/admin/flag-type/list.html.tmpl
index 0e3306d27..80764d613 100644
--- a/template/en/default/admin/flag-type/list.html.tmpl
+++ b/template/en/default/admin/flag-type/list.html.tmpl
@@ -92,7 +92,7 @@
[% FOREACH type = types %]
- <tr class="[% type.is_active ? "active" : "inactive" %]">
+ <tr class="[% IF type.is_active %]active[% ELSE %]inactive[% END %]">
<td><a href="editflagtypes.cgi?action=edit&amp;id=[% type.id %]">[% type.name FILTER html %]</a></td>
<td>[% type.description FILTER html %]</td>
<td>
diff --git a/template/en/default/attachment/list.html.tmpl b/template/en/default/attachment/list.html.tmpl
index 163071997..1e3618093 100644
--- a/template/en/default/attachment/list.html.tmpl
+++ b/template/en/default/attachment/list.html.tmpl
@@ -53,13 +53,13 @@
[% IF attachment.flags.size == 0 %]
<i>none</i>
[% ELSE %]
- [% FOR flag = attachment.flags %]
+ [% FOREACH flag = attachment.flags %]
[% IF flag.setter %]
[% flag.setter.nick FILTER html %]:
[% END %]
- [%+ flag.type.name %][% flag.status %]
+ [%+ flag.type.name FILTER html %][% flag.status %]
[%+ IF flag.status == "?" && flag.requestee %]
- ([% flag.requestee.nick %])
+ ([% flag.requestee.nick FILTER html %])
[% END %]<br>
[% END %]
[% END %]
diff --git a/template/en/default/bug/activity/table.html.tmpl b/template/en/default/bug/activity/table.html.tmpl
index ec005cc38..af6305b5d 100644
--- a/template/en/default/bug/activity/table.html.tmpl
+++ b/template/en/default/bug/activity/table.html.tmpl
@@ -60,7 +60,7 @@
[% FOREACH operation = operations %]
<tr>
<td rowspan="[% operation.changes.size %]" valign="top">
- [% operation.who %]
+ [% operation.who FILTER html %]
</td>
<td rowspan="[% operation.changes.size %]" valign="top">
[% operation.when FILTER time %]
diff --git a/template/en/default/bug/create/create-guided.html.tmpl b/template/en/default/bug/create/create-guided.html.tmpl
index fb5828fe8..7e0220b85 100644
--- a/template/en/default/bug/create/create-guided.html.tmpl
+++ b/template/en/default/bug/create/create-guided.html.tmpl
@@ -224,7 +224,8 @@ function PutDescription() {
The area where the problem occurs.
To pick the right component, you could use the same one as
similar [% terms.bugs %] you found in your search, or read the full list of
- <a href="describecomponents.cgi?product=[% product %]">component
+ <a href="describecomponents.cgi?product=
+ [% product FILTER url_quote %]">component
descriptions</a> if you need more help.
</p>
diff --git a/template/en/default/bug/create/create.html.tmpl b/template/en/default/bug/create/create.html.tmpl
index 14ce27180..b15efffac 100644
--- a/template/en/default/bug/create/create.html.tmpl
+++ b/template/en/default/bug/create/create.html.tmpl
@@ -171,7 +171,8 @@ function set_assign_to() {
<td colspan="2"></td>
</tr>
[% ELSE %]
- <input type="hidden" name="bug_status" value="[% default.bug_status %]">
+ <input type="hidden" name="bug_status"
+ value="[% default.bug_status FILTER html %]">
[% END %]
<tr>
diff --git a/template/en/default/bug/dependency-tree.html.tmpl b/template/en/default/bug/dependency-tree.html.tmpl
index 194691e56..16f68b394 100644
--- a/template/en/default/bug/dependency-tree.html.tmpl
+++ b/template/en/default/bug/dependency-tree.html.tmpl
@@ -32,8 +32,14 @@
[% PROCESS depthControlToolbar %]
[%# Display the tree of bugs that this bug depends on. %]
-<h3>[% hide_resolved ? "Open $terms.bugs" : "$terms.Bugs" %]
- that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %]&nbsp;[% bugid %]</a> depends on</h3>
+<h3>
+ [% IF hide_resolved %]
+ Open [% terms.bugs %]
+ [% ELSE %]
+ [% terms.Bugs %]
+ [% END %]
+ that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %]&nbsp;[% bugid %]</a>
+ depends on</h3>
[% IF dependson_ids.size > 0 %]
(
[% IF maxdepth -%]Up to [% maxdepth %] level[% "s" IF maxdepth > 1 %] deep | [% END %]
@@ -48,8 +54,14 @@
[% END %]
[%# Display the tree of bugs that this bug blocks. %]
-<h3>[% hide_resolved ? "Open $terms.bugs" : "$terms.Bugs" %]
- that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %]&nbsp;[% bugid %]</a> blocks</h3>
+<h3>
+ [% IF hide_resolved %]
+ Open [% terms.bugs %]
+ [% ELSE %]
+ [% terms.Bugs %]
+ [% END %]
+ that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %]&nbsp;[% bugid %]</a>
+ blocks</h3>
[% IF blocked_ids.size > 0 %]
(
[% IF maxdepth -%]Up to [% maxdepth %] level[% "s" IF maxdepth > 1 %] deep | [% END %]
@@ -112,7 +124,8 @@
<input name="maxdepth" type="hidden" value="[% maxdepth %]">
[% END %]
<input type="hidden" name="hide_resolved" value="[% hide_resolved ? 0 : 1 %]">
- <input type="submit" value="[% hide_resolved ? "Show" : "Hide" %] Resolved">
+ <input type="submit"
+ value="[% IF hide_resolved %]Show[% ELSE %]Hide[% END %] Resolved">
</form>
</td>
@@ -128,9 +141,8 @@
<form method="get" action="showdependencytree.cgi"
style="display: inline; margin: 0px;">
[%# set to one form %]
- <input type="submit" value="&nbsp;1&nbsp;" [%
- realdepth < 2 || maxdepth == 1 ? "disabled" : ""
- %]>
+ <input type="submit" value="&nbsp;1&nbsp;"
+ [% "disabled" IF realdepth < 2 || maxdepth == 1 %]>
<input name="id" type="hidden" value="[% bugid %]">
<input name="maxdepth" type="hidden" value="1">
<input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
@@ -148,9 +160,8 @@
: ( maxdepth ? maxdepth - 1 : realdepth - 1 )
%]">
<input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
- <input type="submit" value="&nbsp;&lt;&nbsp;" [%
- realdepth < 2 || ( maxdepth && maxdepth < 2 ) ? "disabled" : ""
- %]>
+ <input type="submit" value="&nbsp;&lt;&nbsp;"
+ [% "disabled" IF realdepth < 2 || ( maxdepth && maxdepth < 2 ) %]>
</form>
</td>
@@ -165,7 +176,7 @@
<input name="id" type="hidden" value="[% bugid %]">
<input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
<noscript>
- <input type="submit" value="Change" [% realdepth < 2 ? "disabled" : "" %]>
+ <input type="submit" value="Change" [% "disabled" IF realdepth < 2 %]>
</noscript>
</form>
</td>
@@ -180,10 +191,9 @@
<input name="maxdepth" type="hidden" value="[% maxdepth + 1 %]">
[% END %]
<input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
- <input type="submit" value="&nbsp;&gt;&nbsp;" [%
- realdepth < 2 || ! maxdepth || maxdepth >= realdepth ?
- "disabled" : ""
- %]>
+ <input type="submit" value="&nbsp;&gt;&nbsp;"
+ [% "disabled" IF realdepth < 2 || !maxdepth || maxdepth >= realdepth %]
+ %]>
</form>
</td>
@@ -194,7 +204,7 @@
<input name="id" type="hidden" value="[% bugid %]">
<input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
<input type="submit" value="&nbsp;Unlimited&nbsp;"
- [% maxdepth == 0 || maxdepth == realdepth ? "disabled" : "" %]>
+ [% "disabled" IF maxdepth == 0 || maxdepth == realdepth %]>
</form>
</td>
</tr>
diff --git a/template/en/default/bug/process/bugmail.html.tmpl b/template/en/default/bug/process/bugmail.html.tmpl
index 631842a40..1e9c13abe 100644
--- a/template/en/default/bug/process/bugmail.html.tmpl
+++ b/template/en/default/bug/process/bugmail.html.tmpl
@@ -61,10 +61,10 @@
[%############################################################################%]
[% BLOCK emails %]
- <b>[% description %]:</b>
+ <b>[% description FILTER html %]:</b>
[% IF names.size > 0 %]
[%+ FOREACH name = names %]
- [% name %][% ", " UNLESS loop.last() %]
+ [% name FILTER html %][% ", " UNLESS loop.last() %]
[% END %]
[% ELSE %]
no one
diff --git a/template/en/default/bug/process/verify-new-product.html.tmpl b/template/en/default/bug/process/verify-new-product.html.tmpl
index fd37707dc..b3e6af250 100644
--- a/template/en/default/bug/process/verify-new-product.html.tmpl
+++ b/template/en/default/bug/process/verify-new-product.html.tmpl
@@ -48,11 +48,13 @@
<p>
[% IF use_target_milestone %]
- You are moving the [% terms.bug %](s) to the product <b>[% form.product %]</b>,
+ You are moving the [% terms.bug %](s) to the product
+ <b>[% form.product FILTER html %]</b>,
and the version, component, and/or target milestone fields are no longer
correct. Please set the correct version, component, and target milestone now:
[% ELSE %]
- You are moving the [% terms.bug %](s) to the product <b>[% form.product %]</b>,
+ You are moving the [% terms.bug %](s) to the product
+ <b>[% form.product FILTER html %]</b>,
and the version and component fields are no longer correct.
Please set the correct version and component now:
[% END %]
diff --git a/template/en/default/bug/show-multiple.html.tmpl b/template/en/default/bug/show-multiple.html.tmpl
index bda5e4f91..340a0ebf8 100644
--- a/template/en/default/bug/show-multiple.html.tmpl
+++ b/template/en/default/bug/show-multiple.html.tmpl
@@ -97,7 +97,7 @@
<tr>
<td colspan="2">
<b>Component:</b>&nbsp;
- [% bug.component %]
+ [% bug.component FILTER html %]
</td>
<td colspan="2">
@@ -190,7 +190,7 @@
[% BLOCK cell %]
<td>
- <b>[% attr.description%]:</b>&nbsp;
+ <b>[% attr.description FILTER html %]:</b>&nbsp;
[% bug.${attr.name} FILTER html %]
</td>
[% END %]
diff --git a/template/en/default/bug/votes/list-for-user.html.tmpl b/template/en/default/bug/votes/list-for-user.html.tmpl
index bcb5956ea..1505713ff 100644
--- a/template/en/default/bug/votes/list-for-user.html.tmpl
+++ b/template/en/default/bug/votes/list-for-user.html.tmpl
@@ -21,9 +21,9 @@
[% PROCESS global/variables.none.tmpl %]
+[% h2 = voting_user.login FILTER html %]
[% PROCESS global/header.html.tmpl
title = "Show Votes"
- h2 = voting_user.name
%]
[% canedit = 1 IF voting_user.login == user.login %]
diff --git a/template/en/default/filterexceptions.pl b/template/en/default/filterexceptions.pl
index a1f0a89f2..afe3ef487 100644
--- a/template/en/default/filterexceptions.pl
+++ b/template/en/default/filterexceptions.pl
@@ -33,17 +33,7 @@
# Safe vmethods - [% foo.size %]
# TT loop variables - [% loop.count %]
# Already-filtered stuff - [% wibble FILTER html %]
-# where the filter is one of html|csv|js|url_quote|quoteUrls|time|uri|xml
-
-# Key:
-#
-# "#": directive should be filtered, but not doing so is not a security hole
-# The plan is to come back and add filtering for all those marked "#" after
-# the security release.
-#
-# "# Email": as above; but noting that it's an email address.
-# Other sorts of comments denote cleanups noticed while doing this work;
-# they should be fixed in the very short term.
+# where the filter is one of html|csv|js|url_quote|quoteUrls|time|uri|xml|none
%::safe = (
@@ -80,19 +70,6 @@
'field.accesskey',
'sel.name',
'sel.accesskey',
- 'button_name', #
-],
-
-'search/knob.html.tmpl' => [
- 'button_name', #
-],
-
-'search/search-report-graph.html.tmpl' => [
- 'button_name', #
-],
-
-'search/search-report-table.html.tmpl' => [
- 'button_name', #
],
'search/search-specific.html.tmpl' => [
@@ -115,19 +92,11 @@
'reports/components.html.tmpl' => [
'numcols',
'comp.description',
- 'comp.initialowner', # email address
- 'comp.initialqacontact', # email address
-],
-
-'reports/duplicates-simple.html.tmpl' => [
- 'title', #
],
'reports/duplicates-table.html.tmpl' => [
'"&maxrows=$maxrows" IF maxrows',
'"&changedsince=$changedsince" IF changedsince',
- '"&product=$product" IF product', #
- '"&format=$format" IF format', #
'"&bug_id=$bug_ids_string&sortvisible=1" IF sortvisible',
'column.name',
'column.description',
@@ -135,10 +104,6 @@
'bug.id',
'bug.count',
'bug.delta',
- 'bug.component', #
- 'bug.bug_severity', #
- 'bug.op_sys', #
- 'bug.target_milestone', #
],
'reports/duplicates.html.tmpl' => [
@@ -154,11 +119,9 @@
],
'reports/report-table.csv.tmpl' => [
- '"$tbl_field_disp: $tbl\n" IF tbl_field', #
- 'row_field_disp IF row_field', #
- 'col_field_disp', #
'num_bugs',
'data.$tbl.$col.$row',
+ 'title',
'', # This is not a bug in the filter exceptions - this template has an
# empty directive which is necessary for it to work properly.
],
@@ -168,7 +131,6 @@
'"&amp;$tbl_vals" IF tbl_vals',
'"&amp;$col_vals" IF col_vals',
'"&amp;$row_vals" IF row_vals',
- 'tbl_disp', #
'classes.$row_idx.$col_idx',
'urlbase',
'data.$tbl.$col.$row',
@@ -178,16 +140,12 @@
],
'reports/report.html.tmpl' => [
- 'tbl_field_disp IF tbl_field', #
- 'row_field_disp IF row_field', #
- 'col_field_disp', #
'imagebase',
'width',
'height',
'imageurl',
'formaturl',
'other_format.name',
- 'other_format.description', #
'sizeurl',
'switchbase',
'format',
@@ -233,7 +191,6 @@
'list/change-columns.html.tmpl' => [
'column',
- 'field_descs.${column} || column', #
],
'list/edit-multiple.html.tmpl' => [
@@ -250,7 +207,6 @@
'list/list.html.tmpl' => [
'buglist',
- 'bugowners', # email address
],
'list/list.rdf.tmpl' => [
@@ -260,7 +216,6 @@
],
'list/table.html.tmpl' => [
- 'abbrev.$id.title || field_descs.$id || column.title', #
'tableheader',
'bug.bug_id',
],
@@ -287,19 +242,12 @@
'proddesc.$p',
],
+# You are not permitted to add any values here. Everything in this file should
+# be filtered unless there's an extremely good reason why not, in which case,
+# use the "none" dummy filter.
'global/code-error.html.tmpl' => [
- 'parameters',
- 'bug.bug_id',
- 'field',
- 'argument', #
- 'function', #
- 'bug_id', # Need to remove unused error no_bug_data
- 'variables.id',
- 'template_error_msg', # Should move filtering from CGI.pl to template
- 'error',
- 'error_message',
],
-
+
'global/header.html.tmpl' => [
'javascript',
'style',
@@ -313,49 +261,27 @@
],
'global/messages.html.tmpl' => [
- 'parameters',
- '# ---', # Work out what this is
- 'namedcmd', #
- 'old_email', # email address
- 'new_email', # email address
'message_tag',
'series.frequency * 2',
],
'global/select-menu.html.tmpl' => [
'options',
- 'onchange', # Again, need to be certain where we are filtering
'size',
],
'global/useful-links.html.tmpl' => [
'email',
- 'user.login', # Email address
],
-# Need to change this and code-error to use a no-op filter, for safety
+# You are not permitted to add any values here. Everything in this file should
+# be filtered unless there's an extremely good reason why not, in which case,
+# use the "none" dummy filter.
'global/user-error.html.tmpl' => [
- 'disabled_reason',
- 'bug_link',
- 'action', #
- 'bug_id',
- 'both',
- 'filesize',
- 'attach_id',
- 'field',
- 'field_descs.$field',
- 'today',
- 'product', #
- 'max',
- 'votes',
- 'error_message',
],
'global/confirm-user-match.html.tmpl' => [
- '# use the global field descs', # Need to fix commenting style here
'script',
- '# this is messy to allow later expansion',
- '# ELSIF for things that don\'t belong in the field_descs hash here',
'fields.${field_name}.flag_type.name',
],
@@ -381,22 +307,16 @@
],
'bug/dependency-tree.html.tmpl' => [
- 'hide_resolved ? "Open $terms.bugs" : "$terms.Bugs"',
'bugid',
'maxdepth',
'dependson_ids.join(",")',
'blocked_ids.join(",")',
'dep_id',
'hide_resolved',
- 'realdepth < 2 ? "disabled" : ""',
'maxdepth + 1',
- 'maxdepth == 0 || maxdepth == realdepth ? "disabled" : ""',
- 'realdepth < 2 || ( maxdepth && maxdepth < 2 ) ? "disabled" : ""',
'maxdepth > 0 && maxdepth <= realdepth ? maxdepth : ""',
'maxdepth == 1 ? 1
: ( maxdepth ? maxdepth - 1 : realdepth - 1 )',
- 'realdepth < 2 || ! maxdepth || maxdepth >= realdepth ?
- "disabled" : ""',
],
'bug/edit.html.tmpl' => [
@@ -425,8 +345,6 @@
'bug/show-multiple.html.tmpl' => [
'bug.bug_id',
- 'bug.component', #
- 'attr.description', #
],
'bug/show.xml.tmpl' => [
@@ -454,7 +372,6 @@
'product.total',
'product.maxvotes',
],
-# h2 = voting_user.name # Email
'bug/process/confirm-duplicate.html.tmpl' => [
'original_bug_id',
@@ -474,21 +391,11 @@
'id',
],
-'bug/process/verify-new-product.html.tmpl' => [
- 'form.product', #
-],
-
-'bug/process/bugmail.html.tmpl' => [
- 'description',
- 'name', # Email
-],
-
'bug/create/comment.txt.tmpl' => [
'form.comment',
],
'bug/create/create.html.tmpl' => [
- 'default.bug_status', #
'g.bit',
'g.description',
'sel.name',
@@ -498,7 +405,6 @@
'bug/create/create-guided.html.tmpl' => [
'matches.0',
'tablecolour',
- 'product', #
'buildid',
'sel',
],
@@ -508,7 +414,6 @@
],
'bug/activity/table.html.tmpl' => [
- 'operation.who', # Email
'change.attachid',
'change.field',
],
@@ -532,10 +437,7 @@
'attachment/list.html.tmpl' => [
'attachment.attachid',
- 'FOR flag = attachment.flags', # Bug? No FOR directive
- 'flag.type.name',
'flag.status',
- 'flag.requestee.nick', # Email
'bugid',
],
@@ -585,7 +487,6 @@
'admin/flag-type/confirm-delete.html.tmpl' => [
'flag_count',
- 'name', #
'flag_type.id',
],
@@ -593,10 +494,7 @@
'action',
'type.id',
'type.target_type',
- 'category', #
- 'item', #
'type.sortkey || 1',
- '(last_action == "enter" || last_action == "copy") ? "Create" : "Save Changes"',
'typeLabelLowerPlural',
'typeLabelLowerSingular',
],
@@ -610,12 +508,7 @@
'target',
],
-'account/prefs/account.html.tmpl' => [
- 'login_change_date', #
-],
-
'account/prefs/email.html.tmpl' => [
- 'watchedusers', # Email
'role',
'reason.name',
'reason.description',
@@ -634,5 +527,3 @@
],
);
-
-# Should filter reports/report.html.tmpl:130 $format
diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index 60ae95043..939c0c4dc 100644
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -28,6 +28,9 @@
[%# This is a list of all the possible code errors. Please keep them in
# alphabetical order by error tag, and leave a blank line between errors.
+ #
+ # Note that you must explicitly filter every single template variable
+ # in this file; if you do not wish to change it, use the "none" filter.
#%]
[% PROCESS global/variables.none.tmpl %]
@@ -35,14 +38,7 @@
[% DEFAULT title = "Internal Error" %]
[% error_message = BLOCK %]
- [% IF error == "aaa_example_error_tag" %]
- [% title = "Example Error" %]
- This is an example error. The title is set above. This text is the body
- of the error. It can contain arbitrary <b>HTML</b>, and also references
- to any [% parameters %] which you may have set before calling
- ThrowCodeError.
-
- [% ELSIF error == "action_unrecognized" %]
+ [% IF error == "action_unrecognized" %]
I don't recognize the value (<em>[% variables.action FILTER html %]</em>)
of the <em>action</em> variable.
@@ -61,8 +57,8 @@
An authorization handler return value was not handled by the login code.
[% ELSIF error == "bug_error" %]
- Trying to retrieve [% terms.bug %] [%+ bug.bug_id %] returned the error
- [% bug.error FILTER html %]
+ Trying to retrieve [% terms.bug %] [%+ bug.bug_id FILTER html %] returned
+ the error [% bug.error FILTER html %].
[% ELSIF error == "chart_data_not_generated" %]
The tool which gathers [% terms.bug %] counts has not been run yet.
@@ -82,7 +78,7 @@
Run checksetup.pl for installation instructions.
[% ELSIF error == "field_type_mismatch" %]
- Cannot seem to handle <code>[% field %]</code>
+ Cannot seem to handle <code>[% field FILTER html %]</code>
and <code>[% type FILTER html %]</code> together.
[% ELSIF error == "gd_not_installed" %]
@@ -107,8 +103,8 @@
'[% bit FILTER html %]'.
[% ELSIF error == "bad_arg" %]
- Bad argument <code>[% argument %]</code> sent to
- <code>[% function %]</code> function.
+ Bad argument <code>[% argument FILTER html %]</code> sent to
+ <code>[% function FILTER html %]</code> function.
[% ELSIF error == "invalid_attach_id_to_obsolete" %]
The attachment number of one of the attachments you wanted to obsolete,
@@ -145,11 +141,8 @@
but you tried to flag it as obsolete while creating a new attachment to
[% terms.bug %] [%+ my_bug_id FILTER html %].
- [% ELSIF error == "no_bug_data" %]
- No data when fetching [% terms.bug %] [%+ bug_id %].
-
[% ELSIF error == "flag_nonexistent" %]
- There is no flag with ID #[% variables.id %].
+ There is no flag with ID #[% variables.id FILTER html %].
[% ELSIF error == "flag_status_invalid" %]
The flag status <em>[% variables.status FILTER html %]</em> is invalid.
@@ -166,7 +159,7 @@
a positive integer.
[% ELSIF error == "flag_type_nonexistent" %]
- There is no flag type with the ID <em>[% variables.id %]</em>.
+ There is no flag type with the ID <em>[% variables.id FILTER html %]</em>.
[% ELSIF error == "flag_type_product_nonexistent" %]
The product <em>[% variables.product FILTER html %]</em> does not exist.
@@ -212,7 +205,7 @@
Something is seriously wrong with the token generation system.
[% ELSIF error == "template_error" %]
- [% template_error_msg %]
+ [% template_error_msg FILTER html %]
[% ELSIF error == "unable_to_retrieve_password" %]
I was unable to retrieve your old password from the database.
@@ -238,9 +231,9 @@
[% ELSE %]
[%# Give sensible error if error functions are used incorrectly.
#%]
- You are using [% terms.Bugzilla %]'s ThrowCodeError() function incorrectly. You
- passed in the string '[% error %]'. The correct use is to pass
- in a tag, and define that tag in the file code-error.html.tmpl.<br>
+ You are using [% terms.Bugzilla %]'s ThrowCodeError() function incorrectly.
+ You passed in the string '[% error FILTER html %]'. The correct use is to
+ pass in a tag, and define that tag in the file code-error.html.tmpl.<br>
<br>
If you are a [% terms.Bugzilla %] end-user seeing this message, please save this
page and send it to [% Param('maintainer') %].
@@ -267,7 +260,7 @@
<tr>
<td bgcolor="#ff0000">
<font size="+2">
- [% error_message %]
+ [% error_message FILTER none %]
</font>
</td>
</tr>
diff --git a/template/en/default/global/confirm-user-match.html.tmpl b/template/en/default/global/confirm-user-match.html.tmpl
index 037f7385c..ec4c4f150 100644
--- a/template/en/default/global/confirm-user-match.html.tmpl
+++ b/template/en/default/global/confirm-user-match.html.tmpl
@@ -38,7 +38,7 @@
# self-referential URL
#%]
-[% # use the global field descs %]
+[%# use the global field descs %]
[% PROCESS "global/field-descs.none.tmpl" %]
[% IF matchsuccess == 1 %]
@@ -74,7 +74,7 @@
</td>
</tr>
- [% # this is messy to allow later expansion %]
+ [%# this is messy to allow later expansion %]
[% FOREACH field = matches %]
<tr>
@@ -173,7 +173,7 @@
[% IF field_descs.${field_name} %]
[% field_descs.${field_name} FILTER html -%]
- [%- # ELSIF for things that don't belong in the field_descs hash here -%]
+ [%-# ELSIF for things that don't belong in the field_descs hash here -%]
[% ELSIF field_name.match("^requestee") %]
[% fields.${field_name}.flag_type.name %] requestee
diff --git a/template/en/default/global/messages.html.tmpl b/template/en/default/global/messages.html.tmpl
index e8aa8047f..e84e9747d 100644
--- a/template/en/default/global/messages.html.tmpl
+++ b/template/en/default/global/messages.html.tmpl
@@ -28,21 +28,15 @@
[% message_tag = message %]
[% message = BLOCK %]
- [% IF message_tag == "aaa_example_message_tag" %]
- [% title = "Example Message" %]
- This is an example message. The title is set above. This text is the body
- of the message. It can contain arbitrary <b>HTML</b>, and also references
- to any [% parameters %] which you may have set.
-
- [% ELSIF message_tag == "buglist_adding_field" %]
+ [% IF message_tag == "buglist_adding_field" %]
[% title = "Adding field to query page..." %]
[% link = "Click here if the page does not redisplay automatically." %]
- [% # --- %]
[% ELSIF message_tag == "buglist_load_named_query" %]
- [% title = BLOCK %]Loading your query named [% namedcmd %][% END %]
+ [% title = BLOCK %]
+ Loading your query named [% namedcmd FILTER html %]
+ [% END %]
[% link = "Click here if the page does not redisplay automatically." %]
- [% # --- %]
[% ELSIF message_tag == "buglist_updated_named_query" %]
OK, your query named <code>[% queryname FILTER html %]</code> is updated.
@@ -81,8 +75,9 @@
[% ELSIF message_tag == "email_change_cancelled_reinstated" %]
[% title = "Cancel Request to Change Email Address" %]
The request to change the email address for the
- [% old_email %] account to [% new_email %] has been cancelled.
- Your old account settings have been reinstated.
+ [% old_email FILTER html %] account to
+ [% new_email FILTER html %] has been cancelled.
+ Your old account settings have been reinstated.
[% ELSIF message_tag == "logged_out" %]
[% title = "Logged Out" %]
diff --git a/template/en/default/global/select-menu.html.tmpl b/template/en/default/global/select-menu.html.tmpl
index 7b7fddb29..f1768d0d5 100644
--- a/template/en/default/global/select-menu.html.tmpl
+++ b/template/en/default/global/select-menu.html.tmpl
@@ -44,7 +44,7 @@
[% options_type = BLOCK %][% options %][% END %]
<select name="[% name FILTER html %]"
- [% IF onchange %]onchange="[% onchange %]"[% END %]
+ [% IF onchange %]onchange="[% onchange FILTER html %]"[% END %]
[% IF multiple %] multiple [% IF size %] size="[% size %]" [% END %] [% END %]>
[% IF options_type.search("ARRAY") %]
[% FOREACH value = options %]
diff --git a/template/en/default/global/useful-links.html.tmpl b/template/en/default/global/useful-links.html.tmpl
index 889a5091a..135dad987 100644
--- a/template/en/default/global/useful-links.html.tmpl
+++ b/template/en/default/global/useful-links.html.tmpl
@@ -73,7 +73,8 @@
[% ' | <a href="sanitycheck.cgi">Sanity&nbsp;check</a>'
IF user.groups.tweakparams %]
- | <a href="relogin.cgi">Log&nbsp;out</a>&nbsp;[% user.login %]
+ | <a href="relogin.cgi">Log&nbsp;out</a>&nbsp;
+ [% user.login FILTER html %]
</td>
</tr>
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index de5d60c6c..b1cf46ecb 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -27,6 +27,9 @@
[%# This is a list of all the possible user errors. Please keep them in
# alphabetical order by error tag, and leave a blank line between errors.
+ #
+ # Note that you must explicitly filter every single template variable
+ # in this file; if you do not wish to change it, use the "none" filter.
#%]
[% PROCESS global/variables.none.tmpl %]
@@ -44,7 +47,7 @@
[% ELSIF error == "account_disabled" %]
[% title = "Account Disabled" %]
- [% disabled_reason %]
+ [% disabled_reason FILTER none %]
<hr>
If you believe your account should be restored, please
send email to [% Param("maintainer") %] explaining why.
@@ -72,7 +75,7 @@
[% ELSIF error == "alias_in_use" %]
[% title = "Alias In Use" %]
- [% bug_link %] has already taken the alias
+ [% bug_link FILTER none %] has already taken the alias
<em>[% alias FILTER html %]</em>. Please choose another one.
[% ELSIF error == "alias_is_numeric" %]
@@ -95,7 +98,7 @@
[% ELSIF error == "authorization_failure" %]
[% title = "Authorization Failed" %]
- You are not allowed to [% action %].
+ You are not allowed to [% action FILTER html %].
[% ELSIF error == "attachment_access_denied" %]
[% title = "Access Denied" %]
@@ -103,13 +106,14 @@
[% ELSIF error == "bug_access_denied" %]
[% title = "Access Denied" %]
- You are not authorized to access [% terms.bug %] #[% bug_id %].
+ You are not authorized to access [% terms.bug %] #[% bug_id FILTER html %].
[% ELSIF error == "bug_access_query" %]
[% title = "Access Denied" %]
- You are not authorized to access [% terms.bug %] #[% bug_id %]. To see
- this [% terms.bug %], you must
- first <a href="show_bug.cgi?id=[% bug_id %]&amp;GoAheadAndLogIn=1">log
+ You are not authorized to access [% terms.bug %] #[% bug_id FILTER html %].
+ To see this [% terms.bug %], you must
+ first <a href="show_bug.cgi?id=
+ [% bug_id FILTER url_quote %]&amp;GoAheadAndLogIn=1">log
in to an account</a> with the appropriate permissions.
[% ELSIF error == "buglist_parameters_required" %]
@@ -139,7 +143,7 @@
[% title = "Dependency Loop Detected" %]
The following [% terms.bug %](s) would appear on both the "depends on"
and "blocks" parts of the dependency tree if these changes
- are committed: [% both %]. This would create a circular
+ are committed: [% both FILTER none %]. This would create a circular
dependency, which is not allowed.
[% ELSIF error == "dependency_loop_single" %]
@@ -176,7 +180,8 @@
[% ELSIF error == "file_too_large" %]
[% title = "File Too Large" %]
- The file you are trying to attach is [% filesize %] kilobytes (KB) in size.
+ The file you are trying to attach is [% filesize FILTER html %]
+ kilobytes (KB) in size.
Non-patch attachments cannot be more than [% Param('maxattachmentsize') %]
KB.
If your attachment is an image, try converting it to a compressable
@@ -187,8 +192,10 @@
[% title = "Flag Requestee Not Authorized" %]
You asked [% requestee.identity FILTER html %]
- for <code>[% flag_type.name FILTER html %]</code> on [% terms.bug %] [% bug_id -%]
- [% IF attach_id %], attachment [% attach_id %][% END %], but that [% terms.bug %]&bnsp;
+ for <code>[% flag_type.name FILTER html %]</code> on [% terms.bug %]
+ [% bug_id FILTER html -%]
+ [% IF attach_id %], attachment [% attach_id FILTER html %][% END %],
+ but that [% terms.bug %]&bnsp;
has been restricted to users in certain groups, and the user you asked
isn't in all the groups to which the [% terms.bug %] has been restricted.
Please choose someone else to ask, or make the [% terms.bug %] accessible to users
@@ -198,8 +205,10 @@
[% title = "Flag Requestee Not Authorized" %]
You asked [% requestee.identity FILTER html %]
- for <code>[% flag_type.name FILTER html %]</code> on [% terms.bug %]&nbsp;[% bug_id %],
- attachment [% attach_id %], but that attachment is restricted to users
+ for <code>[% flag_type.name FILTER html %]</code> on
+ [% terms.bug %]&nbsp;[% bug_id FILTER html %],
+ attachment [% attach_id FILTER html %], but that attachment is restricted
+ to users
in the [% Param("insidergroup") FILTER html %] group, and the user
you asked isn't in that group. Please choose someone else to ask,
or ask an administrator to add the user to the group.
@@ -233,11 +242,12 @@
[% ELSIF error == "illegal_attachment_edit" %]
[% title = "Unauthorised Action" %]
- You are not authorised to edit attachment [% attach_id %].
+ You are not authorised to edit attachment [% attach_id FILTER html %].
[% ELSIF error == "illegal_attachment_edit_bug" %]
[% title = "Unauthorised Action" %]
- You are not authorised to edit attachments on [% terms.bug %] [%+ bug_id %].
+ You are not authorised to edit attachments on [% terms.bug %]
+ [%+ bug_id FILTER html %].
[% ELSIF error == "illegal_attachment_is_patch" %]
[% title = "Your Query Makes No Sense" %]
@@ -246,7 +256,8 @@
[% ELSIF error == "illegal_change" %]
[% title = "Not allowed" %]
- You tried to change the <strong>[% field %]</strong> field
+ You tried to change the
+ <strong>[% field_descs.$field FILTER html %]</strong> field
from <em>[% oldvalue FILTER html %]</em> to
<em>[% newvalue FILTER html %]</em>,
but only the owner or submitter of the [% terms.bug %], or a
@@ -320,7 +331,7 @@
[% ELSIF error == "invalid_bug_id_non_existent" %]
[% title = BLOCK %]Invalid [% terms.Bug %] ID[% END %]
- [% terms.Bug %] #[% bug_id %] does not exist.
+ [% terms.Bug %] #[% bug_id FILTER html %] does not exist.
[% ELSIF error == "invalid_bug_id_or_alias" %]
[% title = BLOCK %]Invalid [% terms.Bug %] ID[% END %]
@@ -383,7 +394,8 @@
[% ELSIF error == "milestone_required" %]
[% title = "Milestone Required" %]
- You must determine a target milestone for [% terms.bug %] [%+ bug_id %]
+ You must determine a target milestone for [% terms.bug %]
+ [%+ bug_id FILTER html %]
if you are going to accept it. Part of accepting
[% terms.abug %] is giving an estimate of when it will be fixed.
@@ -459,7 +471,8 @@
[% ELSIF error == "need_positive_number" %]
[% title = "Positive Number Required" %]
- The <em>[% field_descs.$field %]</em> field requires a positive number.
+ The <em>[% field_descs.$field FILTER html %]</em> field requires a positive
+ number.
[% ELSIF error == "need_product" %]
[% title = "Product Required" %]
@@ -499,7 +512,8 @@
[% ELSIF error == "no_dupe_stats" %]
[% title = "Cannot Find Duplicate Statistics" %]
- There are no duplicate statistics for today ([% today %]) or yesterday.
+ There are no duplicate statistics for today ([% today FILTER html %])
+ or yesterday.
[% ELSIF error == "no_dupe_stats_error_today" %]
[% title = "Error Reading Today's Dupes File" %]
@@ -513,7 +527,8 @@
[% ELSIF error == "no_dupe_stats_error_yesterday" %]
[% title = "Error Reading Yesterday's Dupes File" %]
- There are no duplicate statistics for today ([% today %]), and an error
+ There are no duplicate statistics for today ([% today FILTER html %]),
+ and an error
occurred opening yesterday's dupes file: [% error_msg FILTER html %].
[% ELSIF error == "no_html_in_quips" %]
@@ -558,7 +573,8 @@
[% ELSIF error == "patch_too_large" %]
[% title = "File Too Large" %]
- The file you are trying to attach is [% filesize %] kilobytes (KB) in size.
+ The file you are trying to attach is [% filesize FILTER html %]
+ kilobytes (KB) in size.
Patches cannot be more than [% Param('maxpatchsize') %] KB in size.
Try breaking your patch into several pieces.
@@ -568,7 +584,8 @@
[% ELSIF error == "product_edit_denied" %]
[% title = "Product Edit Access Denied" %]
- You are not permitted to edit [% terms.bugs %] in product [% product %].
+ You are not permitted to edit [% terms.bugs %] in product
+ [% product FILTER html %].
[% ELSIF error == "query_name_missing" %]
[% title = "No Query Name Specified" %]
@@ -620,15 +637,17 @@
[% ELSIF error == "too_many_votes_for_bug" %]
[% title = "Illegal Vote" %]
- You may only use at most [% max %] votes for a single [% terms.bug %] in the
+ You may only use at most [% max FILTER html %] votes for a single
+ [%+ terms.bug %] in the
<tt>[% prod FILTER html %]</tt> product, but you are trying to use
- [% votes %].
+ [% votes FILTER html %].
[% ELSIF error == "too_many_votes_for_product" %]
[% title = "Illegal Vote" %]
- You may only use at most [% max %] votes for [% terms.bugs %] in the
+ You may only use at most [% max FILTER html %] votes for [% terms.bugs %]
+ in the
<tt>[% prod FILTER html %]</tt> product, but you are trying to use
- [% votes %].
+ [% votes FILTER html %].
[% ELSIF error == "token_inexistent" %]
[% title = "Token Does Not Exist" %]
@@ -662,7 +681,8 @@
[% ELSIF error == "value_out_of_range" %]
[% title = "Value Out Of Range" %]
- Value is out of range for field <em>[% field_descs.$field %]</em>.
+ Value is out of range for field
+ <em>[% field_descs.$field FILTER html %]</em>.
[% ELSIF error == "zero_length_file" %]
[% title = "File Is Empty" %]
@@ -684,7 +704,7 @@
<tr>
<td bgcolor="#ff0000">
<font size="+2">
- [% error_message %]
+ [% error_message FILTER none %]
</font>
</td>
</tr>
diff --git a/template/en/default/list/change-columns.html.tmpl b/template/en/default/list/change-columns.html.tmpl
index 61ff34dd7..d49a152c8 100644
--- a/template/en/default/list/change-columns.html.tmpl
+++ b/template/en/default/list/change-columns.html.tmpl
@@ -42,7 +42,9 @@
[% FOREACH column = masterlist %]
<input type="checkbox" id="[% column %]" name="column_[% column %]"
[% "checked='checked'" IF lsearch(collist, column) != -1 %]>
- <label for="[% column %]">[% field_descs.${column} || column %]</label>
+ <label for="[% column %]">
+ [% (field_descs.${column} || column) FILTER html %]
+ </label>
<br>
[% END %]
diff --git a/template/en/default/list/list.html.tmpl b/template/en/default/list/list.html.tmpl
index f02d92904..a61bdef98 100644
--- a/template/en/default/list/list.html.tmpl
+++ b/template/en/default/list/list.html.tmpl
@@ -149,7 +149,9 @@
[% END %]
[% IF bugowners %]
- <a href="mailto:[% bugowners %]">Send Mail to [% terms.Bug %] Owners</a> &nbsp;&nbsp;
+ <a href="mailto:[% bugowners FILTER html %]">Send
+ Mail to [% terms.Bug %] Owners</a>
+ &nbsp;&nbsp;
[% END %]
<a href="query.cgi?
diff --git a/template/en/default/reports/components.html.tmpl b/template/en/default/reports/components.html.tmpl
index b6d5010d0..d1af07392 100644
--- a/template/en/default/reports/components.html.tmpl
+++ b/template/en/default/reports/components.html.tmpl
@@ -79,13 +79,15 @@
<a name="[% comp.name FILTER html %]">[% comp.name FILTER html %]</a>
</td>
<td>
- <a href="mailto:[% comp.initialowner %][% Param('emailsuffix') %]">
+ <a href="mailto:[% comp.initialowner FILTER html %]
+ [% Param('emailsuffix') %]">
[% comp.initialowner FILTER html %]</a>
</td>
[% IF Param("useqacontact") %]
<td>
- <a href="mailto:[% comp.initialqacontact %][% Param('emailsuffix') %]">
- [% comp.initialqacontact %]</a>
+ <a href="mailto:[% comp.initialqacontact FILTER html %]
+ [% Param('emailsuffix') %]">
+ [% comp.initialqacontact FILTER html %]</a>
</td>
[% END %]
</tr>
diff --git a/template/en/default/reports/duplicates-simple.html.tmpl b/template/en/default/reports/duplicates-simple.html.tmpl
index a74926f8e..22055779a 100644
--- a/template/en/default/reports/duplicates-simple.html.tmpl
+++ b/template/en/default/reports/duplicates-simple.html.tmpl
@@ -34,7 +34,7 @@
[% END%]
<head>
- <title>[% title %]</title>
+ <title>[% title FILTER html %]</title>
</head>
<body>
diff --git a/template/en/default/reports/duplicates-table.html.tmpl b/template/en/default/reports/duplicates-table.html.tmpl
index 0ebd2b4de..34e070f10 100644
--- a/template/en/default/reports/duplicates-table.html.tmpl
+++ b/template/en/default/reports/duplicates-table.html.tmpl
@@ -70,17 +70,18 @@
[% bug_ids_string = bug_ids.join(',') %]
<a href="duplicates.cgi?sortby=[% column.name %]
[% IF sortby == column.name %]
- [% "&reverse=1" IF NOT reverse %]
+ [% "&amp;reverse=1" IF NOT reverse %]
[% ELSE %]
[%-# Some columns start off reversed %]
- [% "&reverse=1" IF column.name.match('delta|count') %]
+ [% "&amp;reverse=1" IF column.name.match('delta|count') %]
[% END %]
- [% "&maxrows=$maxrows" IF maxrows %]
- [% "&changedsince=$changedsince" IF changedsince %]
- [% "&openonly=1" IF openonly %]
- [% "&product=$product" IF product %]
- [% "&format=$format" IF format %]
- [% "&bug_id=$bug_ids_string&sortvisible=1" IF sortvisible %]">
+ [% "&amp;maxrows=$maxrows" IF maxrows %]
+ [% "&amp;changedsince=$changedsince" IF changedsince %]
+ [% "&amp;openonly=1" IF openonly %]
+ [% IF product %]&amp;product=[% product FILTER html %][% END %]
+ [% IF format %]&amp;format=[% format FILTER html %][% END %]
+ [% "&amp;bug_id=$bug_ids_string&amp;sortvisible=1"
+ IF sortvisible %]">
[% column.description %]</a>
</b>
</center>
@@ -135,10 +136,10 @@
<td><center>[% bug.delta %]</center></td>
[% END %]
- <td>[% bug.component %]</td>
- <td><center>[% bug.bug_severity %]</center></td>
- <td><center>[% bug.op_sys %]</center></td>
- <td><center>[% bug.target_milestone %]</center></td>
+ <td>[% bug.component FILTER html %]</td>
+ <td><center>[% bug.bug_severity FILTER html %]</center></td>
+ <td><center>[% bug.op_sys FILTER html %]</center></td>
+ <td><center>[% bug.target_milestone FILTER html %]</center></td>
<td>[% bug.short_desc FILTER html %]</td>
</tr>
[% END %]
diff --git a/template/en/default/reports/report-table.csv.tmpl b/template/en/default/reports/report-table.csv.tmpl
index 989790e47..216419fea 100644
--- a/template/en/default/reports/report-table.csv.tmpl
+++ b/template/en/default/reports/report-table.csv.tmpl
@@ -29,13 +29,18 @@
[% row_field_disp = field_descs.$row_field || row_field %]
[% title = BLOCK %]
- [% "$tbl_field_disp: $tbl\n" IF tbl_field %]
- [% row_field_disp IF row_field %]
+ [% IF tbl_field %]
+ [% tbl_field_disp FILTER csv %]: [% tbl FILTER csv %]
+
+ [% END %]
+ [% IF row_field %]
+ [% row_field_disp FILTER csv %]
+ [% END %]
[% " / " IF col_field AND row_field %]
- [% col_field_disp %]
+ [% col_field_disp FILTER csv %]
[% END %]
-[% title FILTER csv %],
+[% title %],
[% IF col_field -%]
[% FOREACH col = col_names -%]
[% col FILTER csv -%],
diff --git a/template/en/default/reports/report-table.html.tmpl b/template/en/default/reports/report-table.html.tmpl
index f28c39590..e4b52b488 100644
--- a/template/en/default/reports/report-table.html.tmpl
+++ b/template/en/default/reports/report-table.html.tmpl
@@ -50,7 +50,7 @@
<td>
</td>
<td align="center">
- <h2>[% tbl_disp %]</h2>
+ <h2>[% tbl_disp FILTER html %]</h2>
</td>
</tr>
[% END %]
diff --git a/template/en/default/reports/report.html.tmpl b/template/en/default/reports/report.html.tmpl
index 31308c10c..19d8c722f 100644
--- a/template/en/default/reports/report.html.tmpl
+++ b/template/en/default/reports/report.html.tmpl
@@ -54,11 +54,15 @@
[% title = BLOCK %]
Report:
- [% tbl_field_disp IF tbl_field %]
+ [% IF tbl_field %]
+ [% tbl_field_disp FILTER html %]
+ [% END %]
[% " / " IF tbl_field AND (col_field OR row_field) %]
- [% row_field_disp IF row_field %]
+ [% IF row_field %]
+ [% row_field_disp FILTER html %]
+ [% END %]
[% " / " IF col_field AND row_field %]
- [% col_field_disp %]
+ [% col_field_disp FILTER html %]
[% END %]
[% PROCESS global/header.html.tmpl
@@ -128,7 +132,7 @@
[% UNLESS other_format.name == format %]
<a href="[% formaturl %]&amp;format=[% other_format.name %]">
[% END %]
- [% other_format.description %]
+ [% other_format.description FILTER html %]
[% "</a>" UNLESS other_format.name == format %] |
[% END %]
<a href="[% formaturl %]&amp;ctype=csv&amp;format=table">CSV</a>
@@ -139,7 +143,9 @@
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</td>
- [% sizeurl = "report.cgi?$switchbase&amp;action=wrap&amp;format=$format" %]
+ [% sizeurl = BLOCK %]report.cgi?
+ [% switchbase %]&amp;action=wrap&amp;format=
+ [% format FILTER html %][% END %]
<td align="center">
<a href="[% sizeurl %]&amp;width=[% width %]&amp;height=
[% height + 100 %]">Taller</a><br>
diff --git a/template/en/default/search/form.html.tmpl b/template/en/default/search/form.html.tmpl
index 6862ac6f6..db20c6aa5 100644
--- a/template/en/default/search/form.html.tmpl
+++ b/template/en/default/search/form.html.tmpl
@@ -352,7 +352,7 @@ function selectProduct(f) {
value="[% default.short_desc.0 FILTER html %]">
</td>
<td>
- <input type="submit" value="[% button_name %]">
+ <input type="submit" value="[% button_name FILTER html %]">
</td>
</tr>
diff --git a/template/en/default/search/knob.html.tmpl b/template/en/default/search/knob.html.tmpl
index 27f37fbd7..8386eff04 100644
--- a/template/en/default/search/knob.html.tmpl
+++ b/template/en/default/search/knob.html.tmpl
@@ -148,7 +148,7 @@
[% END %]
</select>
- <input type="submit" value="[% button_name %]">
+ <input type="submit" value="[% button_name FILTER html %]">
[% IF userdefaultquery %]
<p>
diff --git a/template/en/default/search/search-report-graph.html.tmpl b/template/en/default/search/search-report-graph.html.tmpl
index 51911fb29..7793f3012 100644
--- a/template/en/default/search/search-report-graph.html.tmpl
+++ b/template/en/default/search/search-report-graph.html.tmpl
@@ -107,7 +107,7 @@
[% PROCESS search/form.html.tmpl %]
<br>
-<input type="submit" value="[% button_name %]">
+<input type="submit" value="[% button_name FILTER html %]">
<input type="hidden" name="action" value="wrap">
<hr>
diff --git a/template/en/default/search/search-report-table.html.tmpl b/template/en/default/search/search-report-table.html.tmpl
index 43010f16c..b850f93c8 100644
--- a/template/en/default/search/search-report-table.html.tmpl
+++ b/template/en/default/search/search-report-table.html.tmpl
@@ -82,7 +82,7 @@
[% PROCESS search/form.html.tmpl %]
<br>
-<input type="submit" value="[% button_name %]">
+<input type="submit" value="[% button_name FILTER html %]">
<input type="hidden" name="format" value="table">
<input type="hidden" name="action" value="wrap">
<hr>