diff options
| -rw-r--r-- | Bugzilla/Template.pm | 6 | ||||
| -rw-r--r-- | Bugzilla/Util.pm | 24 | ||||
| -rwxr-xr-x | showdependencygraph.cgi | 2 | ||||
| -rw-r--r-- | t/007util.t | 5 |
4 files changed, 5 insertions, 32 deletions
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index c22502806..d8e23c939 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -144,8 +144,6 @@ sub quoteUrls { # Do this by escaping \0 to \1\0, and replacing matches with \0\0$count\0\0 # \0 is used because it's unlikely to occur in the text, so the cost of # doing this should be very small - # Also, \0 won't appear in the value_quote'd bug title, so we don't have - # to worry about bogus substitutions from there # escape the 2nd escape char we're using my $chr1 = chr(1); @@ -265,7 +263,7 @@ sub get_attachment_link { $className = "bz_obsolete"; } # Prevent code injection in the title. - $title = value_quote($title); + $title = html_quote(clean_text($title)); $link_text =~ s/ \[details\]$//; my $linkval = "attachment.cgi?id=$attachid"; @@ -321,7 +319,7 @@ sub get_bug_link { $title .= " - $bug_desc"; } # Prevent code injection in the title. - $title = value_quote($title); + $title = html_quote(clean_text($title)); my $linkval = "show_bug.cgi?id=$bug_num"; if (defined $comment_num) { diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index e15edc6b5..5c68a9092 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -33,7 +33,7 @@ use strict; use base qw(Exporter); @Bugzilla::Util::EXPORT = qw(is_tainted trick_taint detaint_natural detaint_signed - html_quote url_quote value_quote xml_quote + html_quote url_quote xml_quote css_class_quote html_light_quote url_decode i_am_cgi get_netaddr correct_urlbase lsearch @@ -195,22 +195,6 @@ sub css_class_quote { return $toencode; } -sub value_quote { - my ($var) = (@_); - $var =~ s/\&/\&/g; - $var =~ s/</\</g; - $var =~ s/>/\>/g; - $var =~ s/\"/\"/g; - # See bug http://bugzilla.mozilla.org/show_bug.cgi?id=4928 for - # explanation of why Bugzilla does this linebreak substitution. - # This caused form submission problems in mozilla (bug 22983, 32000). - $var =~ s/\r\n/\
/g; - $var =~ s/\n\r/\
/g; - $var =~ s/\r/\
/g; - $var =~ s/\n/\
/g; - return $var; -} - sub xml_quote { my ($var) = (@_); $var =~ s/\&/\&/g; @@ -539,7 +523,6 @@ Bugzilla::Util - Generic utility functions for bugzilla # Functions for quoting html_quote($var); url_quote($var); - value_quote($var); xml_quote($var); # Functions for decoding @@ -652,11 +635,6 @@ Quotes characters so that they may be included as part of a url. Quotes characters so that they may be used as CSS class names. Spaces are replaced by underscores. -=item C<value_quote($val)> - -As well as escaping html like C<html_quote>, this routine converts newlines -into 
, suitable for use in html attributes. - =item C<xml_quote($val)> This is similar to C<html_quote>, except that ' is escaped to '. This diff --git a/showdependencygraph.cgi b/showdependencygraph.cgi index fd042f436..c4d371f45 100755 --- a/showdependencygraph.cgi +++ b/showdependencygraph.cgi @@ -71,7 +71,7 @@ sub CreateImagemap { # Pick up bugid from the mapdata label field. Getting the title from # bugtitle hash instead of mapdata allows us to get the summary even # when showsummary is off, and also gives us status and resolution. - my $bugtitle = value_quote($bugtitles{$bugid}); + my $bugtitle = html_quote(clean_text($bugtitles{$bugid})); $map .= qq{<area alt="bug $bugid" name="bug$bugid" shape="rect" } . qq{title="$bugtitle" href="$url" } . qq{coords="$leftx,$topy,$rightx,$bottomy">\n}; diff --git a/t/007util.t b/t/007util.t index 5f2c998d1..18d58148b 100644 --- a/t/007util.t +++ b/t/007util.t @@ -28,7 +28,7 @@ use lib 't'; use Support::Files; BEGIN { - use Test::More tests => 13; + use Test::More tests => 12; use_ok(Bugzilla); use_ok(Bugzilla::Util); } @@ -48,9 +48,6 @@ is(html_quote("<lala&>"),"<lala&>",'html_quote'); #url_quote(): is(url_quote("<lala&>gaa\"'[]{\\"),"%3Clala%26%3Egaa%22%27%5B%5D%7B%5C",'url_quote'); -#value_quote(): -is(value_quote("<lal\na&>g\naa\"'[\n]{\\"),"<lal
a&>g
aa"'[
]{\\",'value_quote'); - #lsearch(): my @list = ('apple','pear','plum','<"\\%'); is(lsearch(\@list,'pear'),1,'lsearch 1'); |