From 6c0f16ffbf7b39da24ded73e17fd2fc0ea4e1a75 Mon Sep 17 00:00:00 2001 From: "mkanat%bugzilla.org" <> Date: Fri, 22 Sep 2006 06:19:03 +0000 Subject: Bug 351994: Messages shouldn't contain HTML characters unless we're in USAGE_MODE_BROWSER Patch By Max Kanat-Alexander r=ghendricks, a=myk --- Bugzilla/Template.pm | 16 ++++++++++++++++ t/008filter.t | 2 +- template/en/default/global/code-error.html.tmpl | 6 +++++- template/en/default/global/message.txt.tmpl | 2 +- template/en/default/global/user-error.html.tmpl | 6 +++++- 5 files changed, 28 insertions(+), 4 deletions(-) diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index b54c4a0f2..7149828ef 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -760,6 +760,22 @@ sub create { 1 ], + # Note that using this filter is even more dangerous than + # using "none," and you should only use it when you're SURE + # the output won't be displayed directly to a web browser. + txt => sub { + my ($var) = @_; + # Trivial HTML tag remover + $var =~ s/<[^>]*>//g; + # And this basically reverses the html filter. + $var =~ s/\@/@/g; + $var =~ s/\<//g; + $var =~ s/\"/\"/g; + $var =~ s/\&/\&/g; + return $var; + }, + # Wrap a displayed comment to the appropriate length wrap_comment => \&Bugzilla::Util::wrap_comment, diff --git a/t/008filter.t b/t/008filter.t index 02d4d4a7e..66f4b7c97 100644 --- a/t/008filter.t +++ b/t/008filter.t @@ -225,7 +225,7 @@ sub directive_ok { return 1 if $directive =~ /FILTER\ (html|csv|js|base64|url_quote|css_class_quote| ics|quoteUrls|time|uri|xml|lower| obsolete|inactive|closed|unitconvert| - none)\b/x; + txt|none)\b/x; return 0; } diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl index 63ce0ffab..f6ccae754 100644 --- a/template/en/default/global/code-error.html.tmpl +++ b/template/en/default/global/code-error.html.tmpl @@ -434,7 +434,11 @@ [%# We only want HTML error messages for ERROR_MODE_WEBPAGE %] [% USE Bugzilla %] [% IF Bugzilla.error_mode != constants.ERROR_MODE_WEBPAGE %] - [% error_message FILTER none %] + [% IF Bugzilla.usage_mode == constants.USAGE_MODE_BROWSER %] + [% error_message FILTER none %] + [% ELSE %] + [% error_message FILTER txt %] + [% END %] [% RETURN %] [% END %] diff --git a/template/en/default/global/message.txt.tmpl b/template/en/default/global/message.txt.tmpl index fc0ec1977..e8ec1e510 100644 --- a/template/en/default/global/message.txt.tmpl +++ b/template/en/default/global/message.txt.tmpl @@ -23,4 +23,4 @@ [%# Yes, this may show some HTML. But it's the best we # can do at the moment. %] [% PROCESS global/messages.html.tmpl %] -[% message %] +[% message FILTER txt %] diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index a9706376b..646da5f75 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -1483,7 +1483,11 @@ [%# We only want HTML error messages for ERROR_MODE_WEBPAGE %] [% USE Bugzilla %] [% IF Bugzilla.error_mode != constants.ERROR_MODE_WEBPAGE %] - [% error_message FILTER none %] + [% IF Bugzilla.usage_mode == constants.USAGE_MODE_BROWSER %] + [% error_message FILTER none %] + [% ELSE %] + [% error_message FILTER txt %] + [% END %] [% RETURN %] [% END %] -- cgit v1.2.3-24-g4f1b