From c738859a411c63f64fa931a5275111aeb9d90fd8 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Tue, 21 Feb 2006 08:05:56 +0000
Subject: [SECURITY] Bug 313441: Query RSS should HTML-escape summary in
 <title> - Patch by Phil Ringnalda <philringnalda@gmail.com> r=myk a=justdave

I forgot to specify the bug number in my previous checkin. That was bug 312498.
---
 template/en/default/global/header.html.tmpl | 10 +--
 template/en/default/list/list.atom.tmpl     | 88 ++++++++++++++++++++++++++
 template/en/default/list/list.html.tmpl     | 14 ++---
 template/en/default/list/list.rss.tmpl      | 97 -----------------------------
 4 files changed, 100 insertions(+), 109 deletions(-)
 create mode 100644 template/en/default/list/list.atom.tmpl
 delete mode 100644 template/en/default/list/list.rss.tmpl

(limited to 'template/en/default')
diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl
index 90c3659fe..959bf5a99 100644
--- a/template/en/default/global/header.html.tmpl
+++ b/template/en/default/global/header.html.tmpl
@@ -35,7 +35,7 @@
   # style: string. CSS style.
   # style_urls: list. List of URLs to CSS style sheets.
   # message: string. A message to display to the user. May contain HTML.
-  # rsslink: rss link url, May contain HTML
+  # atomlink: Atom link url, May contain HTML
   #%]
 
 [% IF message %]
@@ -100,11 +100,11 @@
       [% END %]
     [% END %]
 
-    [%# this puts the live bookmark up on firefox for the RSS feed %]
-    [% IF rsslink %]
+    [%# this puts the live bookmark up on firefox for the Atom feed %]
+    [% IF atomlink %]
        <link rel="alternate" 
-             type="application/rss+xml" title="RSS 1.0" 
-             href="[% rsslink FILTER html %]" />
+             type="application/atom+xml" title="Atom feed" 
+             href="[% atomlink FILTER html %]" />
     [% END %]
 
   </head>
diff --git a/template/en/default/list/list.atom.tmpl b/template/en/default/list/list.atom.tmpl
new file mode 100644
index 000000000..367f2858f
--- /dev/null
+++ b/template/en/default/list/list.atom.tmpl
@@ -0,0 +1,88 @@
+[%# 1.0@bugzilla.org %]
+[%# The contents of this file are subject to the Mozilla Public
+  # License Version 1.1 (the "License"); you may not use this file
+  # except in compliance with the License. You may obtain a copy of
+  # the License at http://www.mozilla.org/MPL/
+  #
+  # Software distributed under the License is distributed on an "AS
+  # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
+  # implied. See the License for the specific language governing
+  # rights and limitations under the License.
+  #
+  # The Original Code is the Bugzilla Bug Tracking System.
+  #
+  # The Initial Developer of the Original Code is Netscape Communications
+  # Corporation. Portions created by Netscape are
+  # Copyright (C) 1998 Netscape Communications Corporation. All
+  # Rights Reserved.
+  #
+  # Contributor(s): Walter Hoehn <wassa@columbia.edu>
+  #                 John Belmonte <john@neggie.net>
+  #                 Jason Remillard <jremillardshop@letterboxes.org>
+  #                 Phil Ringnalda <bugzilla@philringnalda.com>
+  #
+  # This is a template for generating an Atom representation of a buglist. 
+  #%]
+
+[% PROCESS global/variables.none.tmpl %]
+[% USE date %]
+
+[% DEFAULT title = "$terms.Bugzilla $terms.Bugs" %]
+
+<?xml version="1.0"[% IF Param('utf8') %] encoding="UTF-8"[% END %]?>
+<feed xmlns="http://www.w3.org/2005/Atom">
+  <title>[% title FILTER xml %]</title>
+  <link rel="alternate" type="text/html"
+        href="[% Param('urlbase') %]buglist.cgi?
+        [%- urlquerypart.replace('ctype=atom[&]?','') FILTER xml %]"/>
+  <link rel="self" type="application/atom+xml"
+        href="[% Param('urlbase') %]buglist.cgi?
+        [%- urlquerypart FILTER xml %]"/>
+  <updated>[% date.format(format=>"%Y-%m-%dT%H:%M:%SZ",
+              time=>bugs.nsort('changedtime').last.changedtime,
+              gmt=>1) FILTER xml %]</updated>
+  <id>[% Param('urlbase') %]buglist.cgi?[% urlquerypart FILTER xml %]</id>
+
+  [% FOREACH bug = bugs %]
+  <entry>
+    <title>[% "@" IF bug.secure_mode %][[% terms.Bug %] [%+ bug.bug_id FILTER xml %]] [% bug.short_desc FILTER xml %]</title>
+    <link rel="alternate" type="text/html"
+          href="[% Param('urlbase') FILTER xml %]show_bug.cgi?id=
+          [%- bug.bug_id FILTER xml %]"/>
+    <id>[% Param('urlbase') FILTER xml %]show_bug.cgi?id=[% bug.bug_id FILTER xml %]</id>
+    <author>
+      <name>[% bug.reporter_realname FILTER xml %]</name>
+    </author>
+    <updated>[% date.format(format=>"%Y-%m-%dT%H:%M:%SZ",time=>bug.changedtime,
+                gmt=>1) FILTER xml %]</updated> 
+    <summary type="html">
+      [%# Filter out the entire block, so that we don't need to escape the html code out %]
+      [% FILTER xml %]
+      <table>
+      <tr>
+        <th>Field</th><th>Value</th>
+      </tr><tr>
+        <td>[% columns.opendate.title FILTER none %]</td>
+        <td>[% bug.opendate FILTER none %]</td>
+      </tr><tr>
+        <td>[% columns.assigned_to_realname.title FILTER none %]</td>
+        <td>[% bug.assigned_to_realname FILTER none %]</td>
+      </tr><tr>
+        <td>[% columns.priority.title FILTER none %]</td>
+        <td>[% bug.priority FILTER none %]</td>
+      </tr><tr>
+        <td>[% columns.bug_severity.title FILTER none %] </td>
+        <td>[% bug.bug_severity FILTER none %]</td>
+      </tr><tr>
+        <td>[% columns.bug_status.title FILTER none %]</td>
+        <td>[% bug.bug_status FILTER none %]</td>
+      </tr><tr>
+        <td>[% columns.changeddate.title FILTER none %]</td>
+        <td>[% bug.changeddate FILTER none -%]</td>
+      </tr>
+      </table>
+      [% END %]
+    </summary>
+  </entry>
+  [% END %]
+</feed>
diff --git a/template/en/default/list/list.html.tmpl b/template/en/default/list/list.html.tmpl
index 85b7d7316..5ac715a0c 100644
--- a/template/en/default/list/list.html.tmpl
+++ b/template/en/default/list/list.html.tmpl
@@ -48,15 +48,15 @@
 [% PROCESS global/header.html.tmpl
   title = title
   style = style
-  rsslink = "buglist.cgi?$urlquerypart&title=$title&ctype=rss" 
+  atomlink = "buglist.cgi?$urlquerypart&title=$title&ctype=atom" 
 %]
 
 <div align="center">
-  [% IF Param('timezone') %]
-    <b>[% time2str("%a %b %e %Y %T %Z", currenttime, Param('timezone')) %]</b><br>
-  [% ELSE %]
-    <b>[% time2str("%a %b %e %Y %T", currenttime) %]</b><br>
-  [% END %]
+  [% IF Param('timezone') %]
+    <b>[% time2str("%a %b %e %Y %T %Z", currenttime, Param('timezone')) %]</b><br>
+  [% ELSE %]
+    <b>[% time2str("%a %b %e %Y %T", currenttime) %]</b><br>
+  [% END %]
 
   [% IF debug %]
     <p>
@@ -169,7 +169,7 @@
         [% urlquerypart FILTER html %]&amp;ctype=csv">CSV</a> |
         <a href="buglist.cgi?
         [% urlquerypart FILTER html %]&amp;title=
-        [%- title FILTER html %]&amp;ctype=rss">RSS</a> |
+        [%- title FILTER html %]&amp;ctype=atom">Feed</a> |
         <a href="buglist.cgi?
         [% urlquerypart FILTER html %]&amp;ctype=ics">iCalendar</a> |
         <a href="colchange.cgi?
diff --git a/template/en/default/list/list.rss.tmpl b/template/en/default/list/list.rss.tmpl
deleted file mode 100644
index cf6901bd7..000000000
--- a/template/en/default/list/list.rss.tmpl
+++ /dev/null
@@ -1,97 +0,0 @@
-[%# 1.0@bugzilla.org %]
-[%# The contents of this file are subject to the Mozilla Public
-  # License Version 1.1 (the "License"); you may not use this file
-  # except in compliance with the License. You may obtain a copy of
-  # the License at http://www.mozilla.org/MPL/
-  #
-  # Software distributed under the License is distributed on an "AS
-  # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or
-  # implied. See the License for the specific language governing
-  # rights and limitations under the License.
-  #
-  # The Original Code is the Bugzilla Bug Tracking System.
-  #
-  # The Initial Developer of the Original Code is Netscape Communications
-  # Corporation. Portions created by Netscape are
-  # Copyright (C) 1998 Netscape Communications Corporation. All
-  # Rights Reserved.
-  #
-  # Contributor(s): Walter Hoehn <wassa@columbia.edu>
-  #                 John Belmonte <john@neggie.net>
-  #                 Jason Remillard <jremillardshop@letterboxes.org>
-  #
-  # This is a template for generating an RSS 1.0 representation of a buglist. 
-  #%]
-
-[% PROCESS global/variables.none.tmpl %]
-[% USE date %]
-
-[% DEFAULT title = "$terms.Bugzilla $terms.Bugs" %]
-
-<?xml version="1.0"[% IF Param('utf8') %] encoding="UTF-8"[% END %]?>
-<rdf:RDF xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" 
-         xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
-         xmlns:dc="http://purl.org/dc/elements/1.1/"
-         xmlns="http://purl.org/rss/1.0/">
-  <channel rdf:about="[% Param('urlbase') %]buglist.cgi?
-         [%- urlquerypart.replace('ctype=rss[&]?','') FILTER xml %]" >
-       
-    <title>[% title FILTER xml %]</title>
-    <description>[% "$terms.Bugzilla $terms.bug list" FILTER xml %]</description>
-    
-    <link>[% Param('urlbase') %]buglist.cgi?
-          [%- urlquerypart.replace('ctype=rss[&]?','') FILTER xml -%]
-    </link>
-    
-    <sy:updatePeriod>hourly</sy:updatePeriod>
-    <sy:updateFrequency>2</sy:updateFrequency>
-    
-    <items>
-      <rdf:Seq>
-      [% FOREACH bug = bugs %]
-        <rdf:li rdf:resource="[% Param('urlbase') FILTER xml %]show_bug.cgi?id=[% bug.bug_id FILTER xml %]" />
-      [% END %]
-      </rdf:Seq>
-    </items>
-    
-  </channel>
- 
-  [% FOREACH bug = bugs %]
-  <item rdf:about="[% Param('urlbase') FILTER xml %]show_bug.cgi?id=[% bug.bug_id FILTER xml %]">
-    <title>
-      [% "@" IF bug.secure_mode %] [[% terms.Bug %] [%+ bug.bug_id FILTER xml %]] [% bug.short_desc FILTER xml %]
-    </title>
-    <link>[% Param('urlbase') FILTER xml %]show_bug.cgi?id=[% bug.bug_id FILTER xml %]</link>
-    <dc:creator>[% bug.reporter_realname FILTER xml %]</dc:creator>
-    <dc:date>[% date.format(format=>"%Y-%m-%dT%H:%MZ",time=>bug.opentime,gmt=>1) FILTER xml %]</dc:date> 
-    <description>
-      [%# Filter out the entire block, so that we don't need to escape the html code out %]
-      [% FILTER xml %]
-      <table>
-      <tr>
-        <th>Field</th><th>Value</th>
-      </tr><tr>
-        <td>[% columns.opendate.title FILTER none %]</td>
-        <td>[% bug.opendate FILTER none %]</td>
-      </tr><tr>
-        <td>[% columns.assigned_to_realname.title FILTER none %]</td>
-        <td>[% bug.assigned_to_realname FILTER none %]</td>
-      </tr><tr>
-        <td>[% columns.priority.title FILTER none %]</td>
-        <td>[% bug.priority FILTER none %]</td>
-      </tr><tr>
-        <td>[% columns.bug_severity.title FILTER none %] </td>
-        <td>[% bug.bug_severity FILTER none %]</td>
-      </tr><tr>
-        <td>[% columns.bug_status.title FILTER none %]</td>
-        <td>[% bug.bug_status FILTER none %]</td>
-      </tr><tr>
-        <td>[% columns.changeddate.title FILTER none %]</td>
-        <td>[% bug.changeddate FILTER none -%]</td>
-      </tr>
-      </table>
-      [% END %]
-    </description>
-  </item>
-  [% END %]
-</rdf:RDF>
-- 
cgit v1.2.3-24-g4f1b


Field	Value
[% columns.opendate.title FILTER none %]	[% bug.opendate FILTER none %]
[% columns.assigned_to_realname.title FILTER none %]	[% bug.assigned_to_realname FILTER none %]
[% columns.priority.title FILTER none %]	[% bug.priority FILTER none %]
[% columns.bug_severity.title FILTER none %]	[% bug.bug_severity FILTER none %]
[% columns.bug_status.title FILTER none %]	[% bug.bug_status FILTER none %]
[% columns.changeddate.title FILTER none %]	[% bug.changeddate FILTER none -%]