From 33c79b8bd53b084122b95d8863d776cc6f4a2ad7 Mon Sep 17 00:00:00 2001
From: Dylan Hardison <dylan@mozilla.com>
Date: Tue, 1 Mar 2016 09:48:31 -0500
Subject: Bug 1252437 - XSS vulnerability through malicious bug aliases

---
 template/en/default/bug/show-header.html.tmpl | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'template')

diff --git a/template/en/default/bug/show-header.html.tmpl b/template/en/default/bug/show-header.html.tmpl
index e7d0a07fb..c8acca614 100644
--- a/template/en/default/bug/show-header.html.tmpl
+++ b/template/en/default/bug/show-header.html.tmpl
@@ -28,12 +28,14 @@
   # be overridden by the calling templates.
   #%]
 
+[% filtered_alias = bug.alias FILTER html %]
 [% filtered_desc = bug.short_desc FILTER html %]
-[% subheader = filtered_desc %]
 [% filtered_timestamp = bug.delta_ts FILTER time %]
+
+[% subheader = filtered_desc %]
 [% title = "$terms.Bug $bug.bug_id &ndash; " %]
 [% IF bug.alias != '' %]
-  [% title = title _ "($bug.alias) " %]
+  [% title = title _ "($filtered_alias) " %]
 [% END %]
 [% title = title _ filtered_desc %]
 [% generate_api_token = 1 %]
-- 
cgit v1.2.3-24-g4f1b