From 15a11fc740e733e1686f7eca58335ccc37880f89 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Fri, 4 Apr 2008 11:47:42 +0000
Subject: Bug 70907: QuickSearch: port the JS code to perl (make it
 server-side) - Patch by Marc Schumann <wurblzap@gmail.com> r=wicked a=myk

---
 docs/en/xml/security.xml | 37 ++++++++++++++++++++-----------------
 1 file changed, 20 insertions(+), 17 deletions(-)

(limited to 'docs/en/xml/security.xml')

diff --git a/docs/en/xml/security.xml b/docs/en/xml/security.xml
index 394976d6b..7f47483cc 100644
--- a/docs/en/xml/security.xml
+++ b/docs/en/xml/security.xml
@@ -1,5 +1,5 @@
 <!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> -->
-<!-- $Id: security.xml,v 1.10 2008/04/04 06:48:17 mozilla%colinogilvie.co.uk Exp $ -->
+<!-- $Id: security.xml,v 1.7 2008/04/04 06:48:14 lpsolit%gmail.com Exp $ -->
 
 <chapter id="security">
 <title>Bugzilla Security</title>
@@ -352,25 +352,28 @@ skip-networking
     <section id="security-bugzilla-charset">
     <title>Prevent users injecting malicious Javascript</title>
 
-      <para>If you installed Bugzilla version 2.22 or later from scratch,
-      then the <emphasis>utf8</emphasis> parameter is switched on by default.
-      This makes Bugzilla explicitly set the character encoding, following
+      <para>It is possible for a Bugzilla user to take advantage of character
+      set encoding ambiguities to inject HTML into Bugzilla comments. This
+      could include malicious scripts. 
+      Due to internationalization concerns, we are unable to
+      incorporate by default the code changes suggested by 
       <ulink
-      url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3">a
-      CERT advisory</ulink> recommending exactly this.
-      The following therefore does not apply to you; just keep
-      <emphasis>utf8</emphasis> turned on.
+      url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3">the
+      CERT advisory</ulink> on this issue.
+      Making the change in <xref linkend="security-bugzilla-charset-ex"/> will
+      prevent this problem. 
       </para>
 
-      <para>If you've upgraded from an older version, then it may be possible
-      for a Bugzilla user to take advantage of character set encoding
-      ambiguities to inject HTML into Bugzilla comments.
-      This could include malicious scripts. 
-      This is because due to internationalization concerns, we are unable to
-      turn the <emphasis>utf8</emphasis> parameter on by default for upgraded
-      installations.
-      Turning it on manually will prevent this problem.
-      </para>
+      <example id="security-bugzilla-charset-ex">
+      <title>Forcing Bugzilla to output a charset</title>
+
+        <para>Locate the following line in
+        <filename>Bugzilla/CGI.pm</filename>:
+        <programlisting>$self->charset('');</programlisting>
+        and change it to:
+        <programlisting>$self->charset('UTF-8');</programlisting>
+        </para>
+      </example>
     </section>    
     
   </section>
-- 
cgit v1.2.3-24-g4f1b