# Do this by escaping \0 to \1\0, and replacing matches with \0\0$count\0\0
# \0 is used because it's unlikely to occur in the text, so the cost of
# doing this should be very small
- # Also, \0 won't appear in the value_quote'd bug title, so we don't have
- # to worry about bogus substitutions from there
# escape the 2nd escape char we're using
my $chr1 = chr(1);
$className = "bz_obsolete";
}
# Prevent code injection in the title.
- $title = value_quote($title);
+ $title = html_quote(clean_text($title));
$link_text =~ s/ \[details\]$//;
my $linkval = "attachment.cgi?id=$attachid";
$title .= " - $bug_desc";
}
# Prevent code injection in the title.
- $title = value_quote($title);
+ $title = html_quote(clean_text($title));
my $linkval = "show_bug.cgi?id=$bug_num";
if (defined $comment_num) {
use base qw(Exporter);
@Bugzilla::Util::EXPORT = qw(is_tainted trick_taint detaint_natural
detaint_signed
- html_quote url_quote value_quote xml_quote
+ html_quote url_quote xml_quote
css_class_quote html_light_quote url_decode
i_am_cgi get_netaddr correct_urlbase
lsearch
return $toencode;
}
-sub value_quote {
- my ($var) = (@_);
- $var =~ s/\&/\&/g;
- $var =~ s/</\</g;
- $var =~ s/>/\>/g;
- $var =~ s/\"/\"/g;
- # See bug http://bugzilla.mozilla.org/show_bug.cgi?id=4928 for
- # explanation of why Bugzilla does this linebreak substitution.
- # This caused form submission problems in mozilla (bug 22983, 32000).
- $var =~ s/\r\n/\
/g;
- $var =~ s/\n\r/\
/g;
- $var =~ s/\r/\
/g;
- $var =~ s/\n/\
/g;
- return $var;
-}
-
sub xml_quote {
my ($var) = (@_);
$var =~ s/\&/\&/g;
# Functions for quoting
html_quote($var);
url_quote($var);
- value_quote($var);
xml_quote($var);
# Functions for decoding
Quotes characters so that they may be used as CSS class names. Spaces
are replaced by underscores.
-=item C<value_quote($val)>
-
-As well as escaping html like C<html_quote>, this routine converts newlines
-into 
, suitable for use in html attributes.
-
=item C<xml_quote($val)>
This is similar to C<html_quote>, except that ' is escaped to '. This
# Pick up bugid from the mapdata label field. Getting the title from
# bugtitle hash instead of mapdata allows us to get the summary even
# when showsummary is off, and also gives us status and resolution.
- my $bugtitle = value_quote($bugtitles{$bugid});
+ my $bugtitle = html_quote(clean_text($bugtitles{$bugid}));
$map .= qq{<area alt="bug $bugid" name="bug$bugid" shape="rect" } .
qq{title="$bugtitle" href="$url" } .
qq{coords="$leftx,$topy,$rightx,$bottomy">\n};
use Support::Files;
BEGIN {
- use Test::More tests => 13;
+ use Test::More tests => 12;
use_ok(Bugzilla);
use_ok(Bugzilla::Util);
}
#url_quote():
is(url_quote("<lala&>gaa\"'[]{\\"),"%3Clala%26%3Egaa%22%27%5B%5D%7B%5C",'url_quote');
-#value_quote():
-is(value_quote("<lal\na&>g\naa\"'[\n]{\\"),"<lal
a&>g
aa"'[
]{\\",'value_quote');
-
#lsearch():
my @list = ('apple','pear','plum','<"\\%');
is(lsearch(\@list,'pear'),1,'lsearch 1');
projects / thirdparty / bugzilla.git / commitdiff
