From 02aa6ce0a7cd9ef14079a5ee22c175ff9d16ed58 Mon Sep 17 00:00:00 2001
From: David Lawrence <dkl@mozilla.com>
Date: Tue, 8 Mar 2016 14:26:33 +0000
Subject: Bug 1252445 - Tracking flags configuration is vulnerable to CSRF and
 causes persistent XSS

---
 .../template/en/default/bug/tracking_flags.html.tmpl           |  3 ++-
 .../template/en/default/hook/bug/create/create-form.html.tmpl  |  3 ++-
 .../en/default/hook/bug/edit-after_custom_fields.html.tmpl     |  3 ++-
 .../en/default/pages/tracking_flags_admin_edit.html.tmpl       | 10 +++++++---
 4 files changed, 13 insertions(+), 6 deletions(-)

(limited to 'extensions/TrackingFlags/template/en/default')

diff --git a/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl b/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl
index 4e2c97dfa..efce91cfe 100644
--- a/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/bug/tracking_flags.html.tmpl
@@ -58,5 +58,6 @@
 [% END %]
 
 <script type="text/javascript">
-  TrackingFlags = [% tracking_flags_json FILTER none %];
+  var tracking_flags_str = "[% tracking_flags_json FILTER js %]";
+  TrackingFlags = $.parseJSON(tracking_flags_str);
 </script>
diff --git a/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl b/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl
index 53f80a885..a29357b11 100644
--- a/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/hook/bug/create/create-form.html.tmpl
@@ -30,7 +30,8 @@
 
 <script type="text/javascript">
   $(function() {
-    var tracking_flag_components = [% tracking_flag_components FILTER none %];
+    var tracking_flag_components_str = "[% tracking_flag_components FILTER js %]";
+    var tracking_flag_components = $.parseJSON(tracking_flag_components_str);
     var highest_status_firefox = '[% highest_status_firefox FILTER js %]';
 
     $('#component')
diff --git a/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl b/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl
index b66bd3df4..aab7056e6 100644
--- a/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/hook/bug/edit-after_custom_fields.html.tmpl
@@ -41,6 +41,7 @@
 [% END %]
 
 <script type="text/javascript">
-  TrackingFlags = [% tracking_flags_json FILTER none %];
+  var tracking_flags_str = "[% tracking_flags_json FILTER js %]";
+  var TrackingFlags = $.parseJSON(tracking_flags_str);
   hide_tracking_flags();
 </script>
diff --git a/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl b/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl
index 60406490f..e381c4f1c 100644
--- a/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl
+++ b/extensions/TrackingFlags/template/en/default/pages/tracking_flags_admin_edit.html.tmpl
@@ -30,9 +30,12 @@ var selected_components = [
 %]
 
 <script>
-  var groups = [% groups || '[]' FILTER none %];
-  var flag_values = [% values || '[]' FILTER none %];
-  var flag_visibility = [% visibility || '[]' FILTER none %];
+  var groups_str = "[% groups || '[]' FILTER js %]";
+  var groups = $.parseJSON(groups_str);
+  var flag_values_str = "[% values || '[]' FILTER js %]";
+  var flag_values = $.parseJSON(flag_values_str);
+  var flag_visibility_str = "[% visibility || '[]' FILTER js %]";
+  var flag_visibility = $.parseJSON(flag_visibility_str);
 </script>
 
 <div id="edit_mode">
@@ -50,6 +53,7 @@ var selected_components = [
 <input type="hidden" name="values" id="values" value="">
 <input type="hidden" name="visibility" id="visibility" value="">
 <input type="hidden" name="save" value="1">
+<input type="hidden" name="token" value="[% issue_hash_token(['tracking_flags_edit']) FILTER html %]">
 
 [%# name/desc/etc %]
 
-- 
cgit v1.2.3-24-g4f1b