From 026539311662235ea26f5f3cfe885322846db6fb Mon Sep 17 00:00:00 2001
From: "gerv%gerv.net" <>
Date: Sun, 7 Sep 2003 02:23:09 +0000
Subject: Bug 207044 - Filter more template directives. None of these are
 security bugs, but they need fixing anyway. Patch by gerv; r,a=justdave.

---
 template/en/default/bug/activity/table.html.tmpl   |  2 +-
 .../en/default/bug/create/create-guided.html.tmpl  |  3 +-
 template/en/default/bug/create/create.html.tmpl    |  3 +-
 template/en/default/bug/dependency-tree.html.tmpl  | 44 +++++++++++++---------
 template/en/default/bug/process/bugmail.html.tmpl  |  4 +-
 .../bug/process/verify-new-product.html.tmpl       |  6 ++-
 template/en/default/bug/show-multiple.html.tmpl    |  4 +-
 .../en/default/bug/votes/list-for-user.html.tmpl   |  2 +-
 8 files changed, 41 insertions(+), 27 deletions(-)

(limited to 'template/en/default/bug')

diff --git a/template/en/default/bug/activity/table.html.tmpl b/template/en/default/bug/activity/table.html.tmpl
index ec005cc38..af6305b5d 100644
--- a/template/en/default/bug/activity/table.html.tmpl
+++ b/template/en/default/bug/activity/table.html.tmpl
@@ -60,7 +60,7 @@
     [% FOREACH operation = operations %]
       <tr>
         <td rowspan="[% operation.changes.size %]" valign="top">
-          [% operation.who %]
+          [% operation.who FILTER html %]
         </td>
         <td rowspan="[% operation.changes.size %]" valign="top">
           [% operation.when FILTER time %]
diff --git a/template/en/default/bug/create/create-guided.html.tmpl b/template/en/default/bug/create/create-guided.html.tmpl
index fb5828fe8..7e0220b85 100644
--- a/template/en/default/bug/create/create-guided.html.tmpl
+++ b/template/en/default/bug/create/create-guided.html.tmpl
@@ -224,7 +224,8 @@ function PutDescription() {
         The area where the problem occurs.
         To pick the right component, you could use the same one as
         similar [% terms.bugs %] you found in your search, or read the full list of
-        <a href="describecomponents.cgi?product=[% product %]">component
+        <a href="describecomponents.cgi?product=
+            [% product FILTER url_quote %]">component
         descriptions</a> if you need more help.
       </p>
 
diff --git a/template/en/default/bug/create/create.html.tmpl b/template/en/default/bug/create/create.html.tmpl
index 14ce27180..b15efffac 100644
--- a/template/en/default/bug/create/create.html.tmpl
+++ b/template/en/default/bug/create/create.html.tmpl
@@ -171,7 +171,8 @@ function set_assign_to() {
     <td colspan="2"></td>
   </tr>
 [% ELSE %]
-  <input type="hidden" name="bug_status" value="[% default.bug_status %]">
+  <input type="hidden" name="bug_status" 
+         value="[% default.bug_status FILTER html %]">
 [% END %]
 
   <tr>
diff --git a/template/en/default/bug/dependency-tree.html.tmpl b/template/en/default/bug/dependency-tree.html.tmpl
index 194691e56..16f68b394 100644
--- a/template/en/default/bug/dependency-tree.html.tmpl
+++ b/template/en/default/bug/dependency-tree.html.tmpl
@@ -32,8 +32,14 @@
 [% PROCESS depthControlToolbar %]
 
 [%# Display the tree of bugs that this bug depends on. %]
-<h3>[% hide_resolved ? "Open $terms.bugs" : "$terms.Bugs" %]
- that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %]&nbsp;[% bugid %]</a> depends on</h3>
+<h3>
+  [% IF hide_resolved %]
+    Open [% terms.bugs %]
+  [% ELSE %]
+    [% terms.Bugs %]
+  [% END %] 
+  that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %]&nbsp;[% bugid %]</a> 
+  depends on</h3>
 [% IF dependson_ids.size > 0 %]
   (
   [% IF maxdepth -%]Up to [% maxdepth %] level[% "s" IF maxdepth > 1 %] deep | [% END %]
@@ -48,8 +54,14 @@
 [% END %]
 
 [%# Display the tree of bugs that this bug blocks. %]
-<h3>[% hide_resolved ? "Open $terms.bugs" : "$terms.Bugs" %]
- that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %]&nbsp;[% bugid %]</a> blocks</h3>
+<h3>
+  [% IF hide_resolved %]
+    Open [% terms.bugs %]
+  [% ELSE %]
+    [% terms.Bugs %]
+  [% END %] 
+  that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %]&nbsp;[% bugid %]</a> 
+  blocks</h3>
 [% IF blocked_ids.size > 0 %]
   (
   [% IF maxdepth -%]Up to [% maxdepth %] level[% "s" IF maxdepth > 1 %] deep | [% END %]
@@ -112,7 +124,8 @@
        <input name="maxdepth" type="hidden" value="[% maxdepth %]">
      [% END %]
      <input type="hidden" name="hide_resolved" value="[% hide_resolved ? 0 : 1 %]">
-     <input type="submit" value="[% hide_resolved ? "Show" : "Hide" %] Resolved">
+     <input type="submit" 
+            value="[% IF hide_resolved %]Show[% ELSE %]Hide[% END %] Resolved">
    </form>
    </td>
 
@@ -128,9 +141,8 @@
    <form method="get" action="showdependencytree.cgi"
          style="display: inline; margin: 0px;">
      [%# set to one form %]
-     <input type="submit" value="&nbsp;1&nbsp;" [%
-         realdepth < 2 || maxdepth == 1 ? "disabled" : ""
-     %]>
+     <input type="submit" value="&nbsp;1&nbsp;" 
+       [% "disabled" IF realdepth < 2 || maxdepth == 1 %]>
      <input name="id" type="hidden" value="[% bugid %]">
      <input name="maxdepth" type="hidden" value="1">
      <input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
@@ -148,9 +160,8 @@
                        : ( maxdepth ? maxdepth - 1 : realdepth - 1 )
      %]">
      <input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
-     <input type="submit" value="&nbsp;&lt;&nbsp;" [%
-        realdepth < 2 || ( maxdepth && maxdepth < 2 ) ? "disabled" : ""
-     %]>
+     <input type="submit" value="&nbsp;&lt;&nbsp;" 
+       [% "disabled" IF realdepth < 2 || ( maxdepth && maxdepth < 2 ) %]>
    </form>
    </td>
 
@@ -165,7 +176,7 @@
      <input name="id" type="hidden" value="[% bugid %]">
      <input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
      <noscript>
-       <input type="submit" value="Change" [% realdepth < 2 ? "disabled" : "" %]>
+       <input type="submit" value="Change" [% "disabled" IF realdepth < 2 %]>
      </noscript>
    </form>
    </td>
@@ -180,10 +191,9 @@
        <input name="maxdepth" type="hidden" value="[% maxdepth + 1 %]">
      [% END %]
      <input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
-     <input type="submit" value="&nbsp;&gt;&nbsp;" [%
-            realdepth < 2 || ! maxdepth || maxdepth >= realdepth ?
-            "disabled" : ""
-     %]>
+     <input type="submit" value="&nbsp;&gt;&nbsp;" 
+        [% "disabled" IF realdepth < 2 || !maxdepth || maxdepth >= realdepth %]
+    %]>
    </form>
    </td>
 
@@ -194,7 +204,7 @@
      <input name="id" type="hidden" value="[% bugid %]">
      <input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
      <input type="submit" value="&nbsp;Unlimited&nbsp;"
-       [% maxdepth == 0 || maxdepth == realdepth ? "disabled" : "" %]>
+       [% "disabled" IF maxdepth == 0 || maxdepth == realdepth %]>
    </form>
    </td>
  </tr>
diff --git a/template/en/default/bug/process/bugmail.html.tmpl b/template/en/default/bug/process/bugmail.html.tmpl
index 631842a40..1e9c13abe 100644
--- a/template/en/default/bug/process/bugmail.html.tmpl
+++ b/template/en/default/bug/process/bugmail.html.tmpl
@@ -61,10 +61,10 @@
 [%############################################################################%]
 
 [% BLOCK emails %]
-  <b>[% description %]:</b>
+  <b>[% description FILTER html %]:</b>
   [% IF names.size > 0 %]
     [%+ FOREACH name = names %]
-      [% name %][% ", " UNLESS loop.last() %]
+      [% name FILTER html %][% ", " UNLESS loop.last() %]
     [% END %]
   [% ELSE %]
     no one
diff --git a/template/en/default/bug/process/verify-new-product.html.tmpl b/template/en/default/bug/process/verify-new-product.html.tmpl
index fd37707dc..b3e6af250 100644
--- a/template/en/default/bug/process/verify-new-product.html.tmpl
+++ b/template/en/default/bug/process/verify-new-product.html.tmpl
@@ -48,11 +48,13 @@
 
   <p>
   [% IF use_target_milestone %]
-    You are moving the [% terms.bug %](s) to the product <b>[% form.product %]</b>,
+    You are moving the [% terms.bug %](s) to the product 
+    <b>[% form.product FILTER html %]</b>,
     and the version, component, and/or target milestone fields are no longer
     correct.  Please set the correct version, component, and target milestone now:
   [% ELSE %]
-    You are moving the [% terms.bug %](s) to the product <b>[% form.product %]</b>,
+    You are moving the [% terms.bug %](s) to the product 
+    <b>[% form.product FILTER html %]</b>,
     and the version and component fields are no longer correct.
     Please set the correct version and component now:
   [% END %]
diff --git a/template/en/default/bug/show-multiple.html.tmpl b/template/en/default/bug/show-multiple.html.tmpl
index bda5e4f91..340a0ebf8 100644
--- a/template/en/default/bug/show-multiple.html.tmpl
+++ b/template/en/default/bug/show-multiple.html.tmpl
@@ -97,7 +97,7 @@
     <tr>
       <td colspan="2">
         <b>Component:</b>&nbsp;
-        [% bug.component %]
+        [% bug.component FILTER html %]
       </td>
 
       <td colspan="2">
@@ -190,7 +190,7 @@
 
 [% BLOCK cell %]
   <td>
-    <b>[% attr.description%]:</b>&nbsp;
+    <b>[% attr.description FILTER html %]:</b>&nbsp;
     [% bug.${attr.name} FILTER html %]
   </td>
 [% END %]
diff --git a/template/en/default/bug/votes/list-for-user.html.tmpl b/template/en/default/bug/votes/list-for-user.html.tmpl
index bcb5956ea..1505713ff 100644
--- a/template/en/default/bug/votes/list-for-user.html.tmpl
+++ b/template/en/default/bug/votes/list-for-user.html.tmpl
@@ -21,9 +21,9 @@
 
 [% PROCESS global/variables.none.tmpl %]
 
+[% h2 = voting_user.login FILTER html %]
 [% PROCESS global/header.html.tmpl
            title = "Show Votes"
-           h2 = voting_user.name
  %]
 
 [% canedit = 1 IF voting_user.login == user.login %]
-- 
cgit v1.2.3-24-g4f1b