From 026539311662235ea26f5f3cfe885322846db6fb Mon Sep 17 00:00:00 2001
From: "gerv%gerv.net" <>
Date: Sun, 7 Sep 2003 02:23:09 +0000
Subject: Bug 207044 - Filter more template directives. None of these are
 security bugs, but they need fixing anyway. Patch by gerv; r,a=justdave.

---
 template/en/default/reports/components.html.tmpl   |  8 ++++---
 .../en/default/reports/duplicates-simple.html.tmpl |  2 +-
 .../en/default/reports/duplicates-table.html.tmpl  | 25 +++++++++++-----------
 template/en/default/reports/report-table.csv.tmpl  | 13 +++++++----
 template/en/default/reports/report-table.html.tmpl |  2 +-
 template/en/default/reports/report.html.tmpl       | 16 +++++++++-----
 6 files changed, 40 insertions(+), 26 deletions(-)

(limited to 'template/en/default/reports')

diff --git a/template/en/default/reports/components.html.tmpl b/template/en/default/reports/components.html.tmpl
index b6d5010d0..d1af07392 100644
--- a/template/en/default/reports/components.html.tmpl
+++ b/template/en/default/reports/components.html.tmpl
@@ -79,13 +79,15 @@
       <a name="[% comp.name FILTER html %]">[% comp.name FILTER html %]</a>
     </td>
     <td>
-      <a href="mailto:[% comp.initialowner %][% Param('emailsuffix') %]">
+      <a href="mailto:[% comp.initialowner FILTER html %]
+                      [% Param('emailsuffix') %]">
       [% comp.initialowner FILTER html %]</a>
     </td>
     [% IF Param("useqacontact") %]
       <td>
-        <a href="mailto:[% comp.initialqacontact %][% Param('emailsuffix') %]">
-        [% comp.initialqacontact %]</a>
+        <a href="mailto:[% comp.initialqacontact FILTER html %]
+                        [% Param('emailsuffix') %]">
+        [% comp.initialqacontact FILTER html %]</a>
       </td>
     [% END %]
   </tr>
diff --git a/template/en/default/reports/duplicates-simple.html.tmpl b/template/en/default/reports/duplicates-simple.html.tmpl
index a74926f8e..22055779a 100644
--- a/template/en/default/reports/duplicates-simple.html.tmpl
+++ b/template/en/default/reports/duplicates-simple.html.tmpl
@@ -34,7 +34,7 @@
   [% END%]
 
   <head>
-    <title>[% title %]</title>
+    <title>[% title FILTER html %]</title>
   </head>
 
   <body>
diff --git a/template/en/default/reports/duplicates-table.html.tmpl b/template/en/default/reports/duplicates-table.html.tmpl
index 0ebd2b4de..34e070f10 100644
--- a/template/en/default/reports/duplicates-table.html.tmpl
+++ b/template/en/default/reports/duplicates-table.html.tmpl
@@ -70,17 +70,18 @@
               [% bug_ids_string = bug_ids.join(',') %]
               <a href="duplicates.cgi?sortby=[% column.name %]
                 [% IF sortby == column.name %]
-                  [% "&reverse=1" IF NOT reverse %]
+                  [% "&amp;reverse=1" IF NOT reverse %]
                 [% ELSE %]
                   [%-# Some columns start off reversed %]
-                  [% "&reverse=1" IF column.name.match('delta|count') %]
+                  [% "&amp;reverse=1" IF column.name.match('delta|count') %]
                 [% END %]
-                [% "&maxrows=$maxrows" IF maxrows %]
-                [% "&changedsince=$changedsince" IF changedsince %]
-                [% "&openonly=1" IF openonly %]
-                [% "&product=$product" IF product %]
-                [% "&format=$format" IF format %]
-                [% "&bug_id=$bug_ids_string&sortvisible=1" IF sortvisible %]">
+                [% "&amp;maxrows=$maxrows" IF maxrows %]
+                [% "&amp;changedsince=$changedsince" IF changedsince %]
+                [% "&amp;openonly=1" IF openonly %]
+                [% IF product %]&amp;product=[% product FILTER html %][% END %]
+                [% IF format %]&amp;format=[% format FILTER html %][% END %]
+                [% "&amp;bug_id=$bug_ids_string&amp;sortvisible=1" 
+                                                            IF sortvisible %]">
                 [% column.description %]</a>
             </b>
           </center>
@@ -135,10 +136,10 @@
         <td><center>[% bug.delta %]</center></td>
       [% END %]
 
-      <td>[% bug.component %]</td>
-      <td><center>[% bug.bug_severity %]</center></td>
-      <td><center>[% bug.op_sys %]</center></td>
-      <td><center>[% bug.target_milestone %]</center></td>
+      <td>[% bug.component FILTER html %]</td>
+      <td><center>[% bug.bug_severity FILTER html %]</center></td>
+      <td><center>[% bug.op_sys FILTER html %]</center></td>
+      <td><center>[% bug.target_milestone FILTER html %]</center></td>
       <td>[% bug.short_desc FILTER html %]</td>
     </tr>
   [% END %]
diff --git a/template/en/default/reports/report-table.csv.tmpl b/template/en/default/reports/report-table.csv.tmpl
index 989790e47..216419fea 100644
--- a/template/en/default/reports/report-table.csv.tmpl
+++ b/template/en/default/reports/report-table.csv.tmpl
@@ -29,13 +29,18 @@
 [% row_field_disp = field_descs.$row_field || row_field %]
 
 [% title = BLOCK %]
-  [% "$tbl_field_disp: $tbl\n" IF tbl_field %]
-  [% row_field_disp IF row_field %]
+  [% IF tbl_field %]
+    [% tbl_field_disp FILTER csv %]: [% tbl FILTER csv %]
+
+  [% END %]
+  [% IF row_field %]
+    [% row_field_disp FILTER csv %]
+  [% END %]
   [% " / " IF col_field AND row_field %]
-  [% col_field_disp %]
+  [% col_field_disp FILTER csv %]
 [% END %]
 
-[% title FILTER csv %],
+[% title %],
 [% IF col_field -%]
 [% FOREACH col = col_names -%]
   [% col FILTER csv -%],
diff --git a/template/en/default/reports/report-table.html.tmpl b/template/en/default/reports/report-table.html.tmpl
index f28c39590..e4b52b488 100644
--- a/template/en/default/reports/report-table.html.tmpl
+++ b/template/en/default/reports/report-table.html.tmpl
@@ -50,7 +50,7 @@
       <td>
       </td>
       <td align="center">        
-        <h2>[% tbl_disp %]</h2>
+        <h2>[% tbl_disp FILTER html %]</h2>
       </td>
     </tr>
   [% END %]  
diff --git a/template/en/default/reports/report.html.tmpl b/template/en/default/reports/report.html.tmpl
index 31308c10c..19d8c722f 100644
--- a/template/en/default/reports/report.html.tmpl
+++ b/template/en/default/reports/report.html.tmpl
@@ -54,11 +54,15 @@
 
 [% title = BLOCK %]
   Report: 
-  [% tbl_field_disp IF tbl_field %]
+  [% IF tbl_field %]
+    [% tbl_field_disp FILTER html %]
+  [% END %]
   [% " / " IF tbl_field AND (col_field OR row_field) %]
-  [% row_field_disp IF row_field %]
+  [% IF row_field %]
+    [% row_field_disp FILTER html %]
+  [% END %]
   [% " / " IF col_field AND row_field %]
-  [% col_field_disp %]
+  [% col_field_disp FILTER html %]
 [% END %]
 
 [% PROCESS global/header.html.tmpl 
@@ -128,7 +132,7 @@
           [% UNLESS other_format.name == format %]
             <a href="[% formaturl %]&amp;format=[% other_format.name %]">
           [% END %]
-          [% other_format.description %]
+          [% other_format.description FILTER html %]
           [% "</a>" UNLESS other_format.name == format %] | 
         [% END %]
         <a href="[% formaturl %]&amp;ctype=csv&amp;format=table">CSV</a> 
@@ -139,7 +143,9 @@
           &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
         </td>
 
-        [% sizeurl = "report.cgi?$switchbase&amp;action=wrap&amp;format=$format" %]
+        [% sizeurl = BLOCK %]report.cgi?
+          [% switchbase %]&amp;action=wrap&amp;format=
+          [% format FILTER html %][% END %]
         <td align="center">
           <a href="[% sizeurl %]&amp;width=[% width %]&amp;height=
                    [% height + 100 %]">Taller</a><br>
-- 
cgit v1.2.3-24-g4f1b