summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Bugzilla/Template.pm34
-rw-r--r--Bugzilla/Util.pm41
-rw-r--r--t/007util.t2
3 files changed, 36 insertions, 41 deletions
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index 48cd90508..d7ebfc055 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -641,39 +641,7 @@ sub create {
1
],
- # Bug 120030: Override html filter to obscure the '@' in user
- # visible strings.
- # Bug 319331: Handle BiDi disruptions.
- html => sub {
- my ($var) = Template::Filters::html_filter(@_);
- # Obscure '@'.
- $var =~ s/\@/\@/g;
- if (Bugzilla->params->{'utf8'}) {
- # Remove the following characters because they're
- # influencing BiDi:
- # --------------------------------------------------------
- # |Code |Name |UTF-8 representation|
- # |------|--------------------------|--------------------|
- # |U+202a|Left-To-Right Embedding |0xe2 0x80 0xaa |
- # |U+202b|Right-To-Left Embedding |0xe2 0x80 0xab |
- # |U+202c|Pop Directional Formatting|0xe2 0x80 0xac |
- # |U+202d|Left-To-Right Override |0xe2 0x80 0xad |
- # |U+202e|Right-To-Left Override |0xe2 0x80 0xae |
- # --------------------------------------------------------
- #
- # The following are characters influencing BiDi, too, but
- # they can be spared from filtering because they don't
- # influence more than one character right or left:
- # --------------------------------------------------------
- # |Code |Name |UTF-8 representation|
- # |------|--------------------------|--------------------|
- # |U+200e|Left-To-Right Mark |0xe2 0x80 0x8e |
- # |U+200f|Right-To-Left Mark |0xe2 0x80 0x8f |
- # --------------------------------------------------------
- $var =~ s/[\x{202a}-\x{202e}]//g;
- }
- return $var;
- },
+ html => \&Bugzilla::Util::html_quote,
html_light => \&Bugzilla::Util::html_light_quote,
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index b3d5b0eaa..55ec6dcf8 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -55,6 +55,7 @@ use DateTime::TimeZone;
use Digest;
use Email::Address;
use Scalar::Util qw(tainted);
+use Template::Filters;
use Text::Wrap;
sub trick_taint {
@@ -81,12 +82,37 @@ sub detaint_signed {
return (defined($_[0]));
}
+# Bug 120030: Override html filter to obscure the '@' in user
+# visible strings.
+# Bug 319331: Handle BiDi disruptions.
sub html_quote {
- my ($var) = (@_);
- $var =~ s/\&/\&/g;
- $var =~ s/</\&lt;/g;
- $var =~ s/>/\&gt;/g;
- $var =~ s/\"/\&quot;/g;
+ my ($var) = Template::Filters::html_filter(@_);
+ # Obscure '@'.
+ $var =~ s/\@/\&#64;/g;
+ if (Bugzilla->params->{'utf8'}) {
+ # Remove the following characters because they're
+ # influencing BiDi:
+ # --------------------------------------------------------
+ # |Code |Name |UTF-8 representation|
+ # |------|--------------------------|--------------------|
+ # |U+202a|Left-To-Right Embedding |0xe2 0x80 0xaa |
+ # |U+202b|Right-To-Left Embedding |0xe2 0x80 0xab |
+ # |U+202c|Pop Directional Formatting|0xe2 0x80 0xac |
+ # |U+202d|Left-To-Right Override |0xe2 0x80 0xad |
+ # |U+202e|Right-To-Left Override |0xe2 0x80 0xae |
+ # --------------------------------------------------------
+ #
+ # The following are characters influencing BiDi, too, but
+ # they can be spared from filtering because they don't
+ # influence more than one character right or left:
+ # --------------------------------------------------------
+ # |Code |Name |UTF-8 representation|
+ # |------|--------------------------|--------------------|
+ # |U+200e|Left-To-Right Mark |0xe2 0x80 0x8e |
+ # |U+200f|Right-To-Left Mark |0xe2 0x80 0x8f |
+ # --------------------------------------------------------
+ $var =~ s/[\x{202a}-\x{202e}]//g;
+ }
return $var;
}
@@ -745,8 +771,9 @@ be done in the template where possible.
=item C<html_quote($val)>
-Returns a value quoted for use in HTML, with &, E<lt>, E<gt>, and E<34> being
-replaced with their appropriate HTML entities.
+Returns a value quoted for use in HTML, with &, E<lt>, E<gt>, E<34> and @ being
+replaced with their appropriate HTML entities. Also, Unicode BiDi controls are
+deleted.
=item C<html_light_quote($val)>
diff --git a/t/007util.t b/t/007util.t
index c0433639b..af36e94ac 100644
--- a/t/007util.t
+++ b/t/007util.t
@@ -45,7 +45,7 @@ my $tz = Bugzilla->local_timezone->short_name_for_datetime(DateTime->new(year =>
# XXX: test taint functions
#html_quote():
-is(html_quote("<lala&>"),"&lt;lala&amp;&gt;",'html_quote');
+is(html_quote("<lala&@>"),"&lt;lala&amp;&#64;&gt;",'html_quote');
#url_quote():
is(url_quote("<lala&>gaa\"'[]{\\"),"%3Clala%26%3Egaa%22%27%5B%5D%7B%5C",'url_quote');