From 58b92d3b0245f6565a7ff34e78fce1e9ec56b355 Mon Sep 17 00:00:00 2001
From: Manish Goregaokar <manishearth@gmail.com>
Date: Thu, 17 Apr 2014 18:27:05 +0200
Subject: Bug 968576: [SECURITY] Dangerous control characters allowed in
 Bugzilla text r=glob a=justdave

---
 Bugzilla/Util.pm | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'Bugzilla/Util.pm')

diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index 5f359c38c..9bcb6962d 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -75,6 +75,10 @@ sub html_quote {
     state $use_utf8 = Bugzilla->params->{'utf8'};
 
     if ($use_utf8) {
+        # Remove control characters if the encoding is utf8.
+        # Other multibyte encodings may be using this range; so ignore if not utf8.
+        $var =~ s/(?![\t\r\n])[[:cntrl:]]//g;
+
         # Remove the following characters because they're
         # influencing BiDi:
         # --------------------------------------------------------
-- 
cgit v1.2.3-24-g4f1b