From 4d1c399ff6391b70e15a2c06d5bec10e2aaa3d3c Mon Sep 17 00:00:00 2001 From: Matt Selsky Date: Thu, 11 Dec 2014 18:00:18 +0000 Subject: Bug 1102842 - remove and/or unwhitelist unsafe filters. r=gerv, a=simon. --- Bugzilla/Template.pm | 29 ---------------------- t/004template.t | 3 --- t/008filter.t | 6 ++--- template/en/default/account/prefs/prefs.html.tmpl | 2 +- template/en/default/attachment/list.html.tmpl | 10 +++++++- .../en/default/attachment/show-multiple.html.tmpl | 10 +++++++- template/en/default/bug/dependency-tree.html.tmpl | 6 ++++- template/en/default/list/change-columns.html.tmpl | 2 +- template/en/default/list/edit-multiple.html.tmpl | 12 ++++++--- 9 files changed, 37 insertions(+), 43 deletions(-) diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 26ef37585..2b068dc2c 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -759,35 +759,6 @@ sub create { # built-in filter, please also add a stub filter to t/004template.t. FILTERS => { - # Render text in required style. - - inactive => [ - sub { - my($context, $isinactive) = @_; - return sub { - return $isinactive ? ''.$_[0].'' : $_[0]; - } - }, 1 - ], - - closed => [ - sub { - my($context, $isclosed) = @_; - return sub { - return $isclosed ? ''.$_[0].'' : $_[0]; - } - }, 1 - ], - - obsolete => [ - sub { - my($context, $isobsolete) = @_; - return sub { - return $isobsolete ? ''.$_[0].'' : $_[0]; - } - }, 1 - ], - # Returns the text with backslashes, single/double quotes, # and newlines/carriage returns escaped for use in JS strings. js => sub { diff --git a/t/004template.t b/t/004template.t index b0ca5a629..6e366c044 100644 --- a/t/004template.t +++ b/t/004template.t @@ -74,9 +74,6 @@ foreach my $include_path (@include_paths) { no_break => sub { return $_; } , js => sub { return $_ } , base64 => sub { return $_ } , - inactive => [ sub { return sub { return $_; } }, 1] , - closed => [ sub { return sub { return $_; } }, 1] , - obsolete => [ sub { return sub { return $_; } }, 1] , url_quote => sub { return $_ } , css_class_quote => sub { return $_ } , xml => sub { return $_ } , diff --git a/t/008filter.t b/t/008filter.t index fea018d43..1f5219f71 100644 --- a/t/008filter.t +++ b/t/008filter.t @@ -210,9 +210,9 @@ sub directive_ok { # Note: If a single directive prints two things, and only one is # filtered, we may not catch that case. return 1 if $directive =~ /FILTER\ (html|csv|js|base64|css_class_quote|ics| - quoteUrls|time|uri|xml|lower|html_light| - obsolete|inactive|closed|unitconvert| - txt|html_linebreak|markdown|none|null)\b/x; + quoteUrls|time|uri|xml|html_light| + unitconvert|txt|html_linebreak|markdown| + none|null)\b/x; return 0; } diff --git a/template/en/default/account/prefs/prefs.html.tmpl b/template/en/default/account/prefs/prefs.html.tmpl index 8f11d0a6f..33c0b4224 100644 --- a/template/en/default/account/prefs/prefs.html.tmpl +++ b/template/en/default/account/prefs/prefs.html.tmpl @@ -68,7 +68,7 @@ [% IF changes_saved %]
- The changes to your [% current_tab.label FILTER lower %] have been saved. + The changes to your [% current_tab.label FILTER lower FILTER html %] have been saved. [% IF email_changes_saved %]

diff --git a/template/en/default/attachment/list.html.tmpl b/template/en/default/attachment/list.html.tmpl index 4599f38ed..2e160eda7 100644 --- a/template/en/default/attachment/list.html.tmpl +++ b/template/en/default/attachment/list.html.tmpl @@ -70,7 +70,15 @@ function toggle_display(link) { [% END %] - [% attachment.description FILTER html FILTER obsolete(attachment.isobsolete) %] + + [% IF attachment.isobsolete %] + + [% END %] + [% attachment.description FILTER html %] + [% IF attachment.isobsolete %] + + [% END %] + [% "" IF attachment.datasize %] diff --git a/template/en/default/attachment/show-multiple.html.tmpl b/template/en/default/attachment/show-multiple.html.tmpl index e2c95cb80..16d093372 100644 --- a/template/en/default/attachment/show-multiple.html.tmpl +++ b/template/en/default/attachment/show-multiple.html.tmpl @@ -34,7 +34,15 @@ Attachment #[% a.id %] - [% a.description FILTER html FILTER obsolete(a.isobsolete) %] + + [% IF a.isobsolete %] + + [% END %] + [% a.description FILTER html %] + [% IF a.isobsolete %] + + [% END %] + [% IF a.ispatch %] diff --git a/template/en/default/bug/dependency-tree.html.tmpl b/template/en/default/bug/dependency-tree.html.tmpl index a2730f3c9..70855fdc2 100644 --- a/template/en/default/bug/dependency-tree.html.tmpl +++ b/template/en/default/bug/dependency-tree.html.tmpl @@ -136,7 +136,9 @@ [% BLOCK buglink %] [% isclosed = !bug.isopened %] - [% FILTER closed(isclosed) -%] + [% IF isclosed %] + + [% END %] [%- bugid %]: @@ -148,6 +150,8 @@ + [% IF isclosed %] + [% END %] [% END %] diff --git a/template/en/default/list/change-columns.html.tmpl b/template/en/default/list/change-columns.html.tmpl index c0279803c..aef352d0f 100644 --- a/template/en/default/list/change-columns.html.tmpl +++ b/template/en/default/list/change-columns.html.tmpl @@ -31,7 +31,7 @@ [% FOREACH column = columns.keys %] [% NEXT IF collist.contains(column) %] [%# We lowecase the keys so that the sort happens case-insensitively. %] - [% SET column_desc = field_descs.$column || column FILTER lower %] + [% SET column_desc = field_descs.$column || column FILTER lower FILTER html %] [% available_columns.$column_desc = column %] [% END %] diff --git a/template/en/default/list/edit-multiple.html.tmpl b/template/en/default/list/edit-multiple.html.tmpl index e581f0892..d956fa62b 100644 --- a/template/en/default/list/edit-multiple.html.tmpl +++ b/template/en/default/list/edit-multiple.html.tmpl @@ -371,7 +371,13 @@ [% SET inactive = !group.is_active %] - [% group.description FILTER html_light FILTER inactive(inactive) %] + [% IF inactive %] + + [% END %] + [% group.description FILTER html_light %] + [% IF inactive %] + + [% END %] @@ -380,8 +386,8 @@ [% IF foundinactive %] -

(Note: [% terms.Bugs %] may not be added to [% FILTER inactive %]inactive - groups[% END %], only removed.)

+

(Note: [% terms.Bugs %] may not be added to inactive + groups, only removed.)

[% END %] [% END %] -- cgit v1.2.3-24-g4f1b