From 16176cbde18261361ff1e5d37fb653c64019f22a Mon Sep 17 00:00:00 2001
From: David Lawrence <dkl@mozilla.com>
Date: Wed, 23 Dec 2015 03:27:08 +0000
Subject: Bug 1234237 - Backport upstream bug 1232785 to bmo/4.2 [SECURITY]
 Buglists in CSV format can be parsed as valid javascript in some browsers

---
 Bugzilla/Template.pm | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'Bugzilla')

diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index b03698477..076e654cb 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -860,6 +860,9 @@ sub create {
             {
                 my ($var) = @_;
                 $var = ' ' . $var if substr($var, 0, 1) eq '=';
+                # backslash is not special to CSV, but it can be used to confuse some browsers...
+                # so we do not allow it to happen. We only do this for logged-in users.
+                $var =~ s/\\/\x{FF3C}/g if Bugzilla->user->id;
                 $var =~ s/\"/\"\"/g;
                 if ($var !~ /^-?(\d+\.)?\d*$/) {
                     $var = "\"$var\"";
-- 
cgit v1.2.3-24-g4f1b