From: lpsolit%gmail.com <> Date: Sun, 15 Oct 2006 03:53:22 +0000 (+0000) Subject: Bug 330555: [SECURITY] H1, H2 and H3 are not filtered in global/header.html.tmpl... X-Git-Tag: bugzilla-2.20.3~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7c83d4ab474dd666436bd101413c23951a16151d;p=thirdparty%2Fbugzilla.git Bug 330555: [SECURITY] H1, H2 and H3 are not filtered in global/header.html.tmpl - Patch by Frédéric Buclin r=justdave a=justdave --- diff --git a/editproducts.cgi b/editproducts.cgi index b5f62ccb52..bc458e089d 100755 --- a/editproducts.cgi +++ b/editproducts.cgi @@ -1018,7 +1018,7 @@ if ($action eq 'updategroupcontrols') { exit; } } - PutHeader("Update group access controls for $product"); + PutHeader("Update group access controls for " . html_quote($product)); $headerdone = 1; SendSQL("SELECT id, name FROM groups " . "WHERE isbuggroup != 0 AND isactive != 0"); diff --git a/template/en/default/admin/flag-type/edit.html.tmpl b/template/en/default/admin/flag-type/edit.html.tmpl index bbf99d0f2d..e8126fcccb 100644 --- a/template/en/default/admin/flag-type/edit.html.tmpl +++ b/template/en/default/admin/flag-type/edit.html.tmpl @@ -45,9 +45,9 @@ [% END %] [% IF last_action == "copy" %] - [% title = "Create Flag Type Based on $type.name" %] + [% title = BLOCK %]Create Flag Type Based on [% type.name FILTER html %][% END %] [% ELSIF last_action == "edit" %] - [% title = "Edit Flag Type $type.name" %] + [% title = BLOCK %]Edit Flag Type [% type.name FILTER html %][% END %] [% END %] [% PROCESS global/header.html.tmpl diff --git a/template/en/default/admin/groups/edit.html.tmpl b/template/en/default/admin/groups/edit.html.tmpl index bb513cf12e..e317770cce 100644 --- a/template/en/default/admin/groups/edit.html.tmpl +++ b/template/en/default/admin/groups/edit.html.tmpl @@ -41,9 +41,10 @@ # be aware of the group being edited and its members. #%] +[% title = BLOCK %]Change Group: [% name FILTER html %][% END %] [% PROCESS global/header.html.tmpl - title = "Change Group: $name" + title = title style = "tr.odd_row { background: #e9e9e9; } diff --git a/template/en/default/admin/groups/remove.html.tmpl b/template/en/default/admin/groups/remove.html.tmpl index 0eed2d9fbe..dca7204f6a 100644 --- a/template/en/default/admin/groups/remove.html.tmpl +++ b/template/en/default/admin/groups/remove.html.tmpl @@ -33,14 +33,14 @@ [% IF remove_all %] - [% title = "Removing All Explicit Group Memberships from '" - _ name _ "'" %] + [% title = BLOCK %]Removing All Explicit Group Memberships from '[% name FILTER html %]'[% END %] [% ELSE %] - [% title = "Removing All Explicit Group Memberships Matching " - _ "Group RegExp from '" _ name _ "'" %] + [% title = BLOCK %] + Removing All Explicit Group Memberships Matching Group RegExp from '[% name FILTER html %]' + [% END %] [% END %] -[% PROCESS global/header.html.tmpl %] +[% PROCESS global/header.html.tmpl title = title %] [% IF remove_all %]

Removing explicit membership

diff --git a/template/en/default/admin/products/groupcontrol/confirm-edit.html.tmpl b/template/en/default/admin/products/groupcontrol/confirm-edit.html.tmpl index 0af6f68e2b..bf5d572bce 100644 --- a/template/en/default/admin/products/groupcontrol/confirm-edit.html.tmpl +++ b/template/en/default/admin/products/groupcontrol/confirm-edit.html.tmpl @@ -22,7 +22,9 @@ [% PROCESS global/variables.none.tmpl %] -[% PROCESS global/header.html.tmpl title="Confirm Group Control Change for product \'$product\'" %] +[% title = BLOCK %]Confirm Group Control Change for product '[% product FILTER html %]'[% END %] + +[% PROCESS global/header.html.tmpl title = title %] [% FOREACH group = mandatory_groups %]

diff --git a/template/en/default/admin/users/confirm-delete.html.tmpl b/template/en/default/admin/users/confirm-delete.html.tmpl index 9296f49d6f..68d7078f0e 100644 --- a/template/en/default/admin/users/confirm-delete.html.tmpl +++ b/template/en/default/admin/users/confirm-delete.html.tmpl @@ -43,8 +43,10 @@ # created #%] +[% title = BLOCK %]Confirm deletion of user [% otheruser.login FILTER html %][% END %] + [% PROCESS global/header.html.tmpl - title = "Confirm deletion of user $otheruser.login" + title = title style_urls = ['skins/standard/admin.css', 'skins/standard/editusers.css'] %] diff --git a/template/en/default/admin/users/edit.html.tmpl b/template/en/default/admin/users/edit.html.tmpl index 24def73b0b..bb2f5c2ab3 100644 --- a/template/en/default/admin/users/edit.html.tmpl +++ b/template/en/default/admin/users/edit.html.tmpl @@ -25,8 +25,10 @@ # canbless) for viewed user. #%] +[% title = BLOCK %]Edit user [% otheruser.login FILTER html %][% END %] + [% PROCESS global/header.html.tmpl - title = "Edit user $login" + title = title message = message style_urls = ['skins/standard/editusers.css'] %] diff --git a/template/en/default/bug/show.html.tmpl b/template/en/default/bug/show.html.tmpl index 8db59a9800..e1e824dc07 100644 --- a/template/en/default/bug/show.html.tmpl +++ b/template/en/default/bug/show.html.tmpl @@ -29,7 +29,7 @@ [% filtered_desc = bug.short_desc FILTER html %] [% filtered_timestamp = bug.delta_ts FILTER time %] [% PROCESS global/header.html.tmpl - title = "$terms.Bug $bug.bug_id - $bug.short_desc" + title = "$terms.Bug $bug.bug_id - $filtered_desc" h1 = "$terms.Bugzilla $terms.Bug $bug.bug_id" h2 = filtered_desc h3 = "Last modified: $filtered_timestamp" diff --git a/template/en/default/filterexceptions.pl b/template/en/default/filterexceptions.pl index a8c9721362..dbbab8e515 100644 --- a/template/en/default/filterexceptions.pl +++ b/template/en/default/filterexceptions.pl @@ -253,6 +253,7 @@ 'javascript', 'style', 'onload', + 'title', 'h1', 'h2', 'h3', diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl index 959bf5a995..ae83e08753 100644 --- a/template/en/default/global/header.html.tmpl +++ b/template/en/default/global/header.html.tmpl @@ -61,7 +61,7 @@ "http://www.w3.org/TR/html4/loose.dtd"> - [% title FILTER html %] + [% title %] [%# Migration note: contents of the old Param 'headerhtml' would go here %] diff --git a/template/en/default/list/list.html.tmpl b/template/en/default/list/list.html.tmpl index c89957a114..34d36c392d 100644 --- a/template/en/default/list/list.html.tmpl +++ b/template/en/default/list/list.html.tmpl @@ -33,7 +33,7 @@ [% title = "$terms.Bug List" %] [% IF searchname %] - [% title = title _ ": " _ searchname %] + [% title = title _ ": " _ searchname FILTER html %] [% END %] [% style_urls = [ "skins/standard/buglist.css" ] %] diff --git a/template/en/default/reports/components.html.tmpl b/template/en/default/reports/components.html.tmpl index 9d9c6f9c33..f6513c0a7c 100644 --- a/template/en/default/reports/components.html.tmpl +++ b/template/en/default/reports/components.html.tmpl @@ -30,7 +30,7 @@ [% filtered_product = product FILTER html %] [% PROCESS global/header.html.tmpl - title = "Components for $product" + title = "Components for $filtered_product" h2 = filtered_product %] [% IF Param("useqacontact") %] diff --git a/template/en/default/reports/duplicates.html.tmpl b/template/en/default/reports/duplicates.html.tmpl index 5cbf84fe26..052e42ef23 100644 --- a/template/en/default/reports/duplicates.html.tmpl +++ b/template/en/default/reports/duplicates.html.tmpl @@ -36,12 +36,15 @@ [% PROCESS global/variables.none.tmpl %] [% IF query_products.size %] - [% title = "Most Frequently Reported $terms.Bugs for ${query_products.join(', ')}" %] + [% title = BLOCK %] + Most Frequently Reported [% terms.Bugs %] for [% query_products.join(', ') FILTER html %] + [% END %] [% ELSE %] [% title = "Most Frequently Reported $terms.Bugs" %] [% END%] [% PROCESS global/header.html.tmpl + title = title style = ".resolved { background-color: #d9d9d9; color: #000000; }" %]