From 1176b66a72d6b480f739737da5059896e455ae2b Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Wed, 16 Oct 2013 19:24:08 +0200
Subject: Bug 924932: (CVE-2013-1743) [SECURITY] Field values are not escaped
 correctly in tabular reports r=dkl a=glob

---
 template/en/default/reports/report-table.html.tmpl | 38 ++++++++++++++--------
 1 file changed, 24 insertions(+), 14 deletions(-)

(limited to 'template')

diff --git a/template/en/default/reports/report-table.html.tmpl b/template/en/default/reports/report-table.html.tmpl
index 466a87d9f..2747166be 100644
--- a/template/en/default/reports/report-table.html.tmpl
+++ b/template/en/default/reports/report-table.html.tmpl
@@ -30,32 +30,42 @@
 [% END %]
 
 <script type="text/javascript">
+function bz_encode (str, decode) {
+  // First decode HTML entities, if requested.
+  if (decode)
+    str = str.replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/&quot;/g, '"')
+             .replace(/&nbsp;/g, " ").replace(/&amp;/g, "&").replace(/\s+$/,"");
+
+  // encodeURIComponent() doesn't escape single quotes.
+  return encodeURIComponent(str).replace(/'/g, escape);
+};
+
 YAHOO.util.Event.addListener(window, "load", function() {
   this.Linkify = function(elLiner, oRecord, oColumn, oData) {
     if (oData == 0)
       elLiner.innerHTML = ".";
     else if (oRecord.getData("row_title") == "Total")
-      elLiner.innerHTML = "<a href='[% urlbase %]&amp;[% col_field FILTER js %]="
-                          + oColumn.field + "[% '&amp;' _ row_vals IF row_vals %]'>"
-                          + oData + "</a>";
+      elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&amp;[% col_field FILTER uri FILTER js %]='
+                          + bz_encode(oColumn.field)
+                          + '[% "&amp;" _ row_vals IF row_vals %]">' + oData + '</a>';
     else
-      elLiner.innerHTML = "<a href='[% urlbase %]&amp;[% row_field FILTER js %]="
-                          + oRecord.getData("row_title").replace(/\s+$/,"")
-                          + "&amp;[% col_field FILTER js %]=" + oColumn.field
-                          + "'>" + oData + "</a>";
+      elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&amp;[% row_field FILTER uri FILTER js %]='
+                          + bz_encode(oRecord.getData("row_title"), 1)
+                          + '&amp;[% col_field FILTER uri FILTER js %]='
+                          + bz_encode(oColumn.field) + '">' + oData + '</a>';
   };
 
   this.LinkifyTotal = function(elLiner, oRecord, oColumn, oData) {
     if (oData == 0)
       elLiner.innerHTML = ".";
     else if (oRecord.getData("row_title") == "Total")
-      elLiner.innerHTML = "<a href='[% urlbase %][% '&amp;' _ row_vals IF row_vals %]
-                          [%~ '&amp;' _ col_vals IF col_vals %]'>"
-                          + oData + "</a>";
+      elLiner.innerHTML = '<a href="[% urlbase FILTER js %][% "&amp;" _ row_vals IF row_vals %]
+                          [%~ "&amp;" _ col_vals IF col_vals %]">'
+                          + oData + '</a>';
     else
-      elLiner.innerHTML = "<a href='[% urlbase %]&amp;[% row_field FILTER js %]="
-                          + oRecord.getData("row_title").replace(/\s+$/,"")
-                          + "[% '&amp;' _ col_vals IF col_vals %]'>" + oData + "</a>";
+      elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&amp;[% row_field FILTER uri FILTER js %]='
+                          + bz_encode(oRecord.getData("row_title"), 1)
+                          + '[% "&amp;" _ col_vals IF col_vals %]">' + oData + '</a>';
 
     YAHOO.util.Dom.addClass(elLiner.parentNode, "ttotal");
   };
@@ -147,7 +157,7 @@ YAHOO.util.Event.addListener(window, "load", function() {
 [% col_idx = 0 %]
 [% row_idx = 0 %]
 [% grand_total = 0 %]
-<div id="tabular_report_container_[% tbl FILTER js %]">
+<div id="tabular_report_container_[% tbl FILTER html %]">
 <table id="tabular_report" border="1">
   [% IF col_field %]
     <thead>
-- 
cgit v1.2.3-24-g4f1b