$var =~ s/\@/\@/g;
return $var;
},
+
+ # We force filtering of every variable in key security-critical
+ # places; we have a none filter for people to use when they
+ # really, really don't want a variable to be changed.
+ none => sub { return $_[0]; } ,
},
PLUGIN_BASE => 'Bugzilla::Template::Plugin',
csv => sub { return $_; },
time => sub { return $_; },
obscure_email => sub { return $_; },
+ none => sub { return $_; } ,
},
}) || die ("Could not create Template Provider: "
. Template::Provider->error() . "\n");
csv => sub { return $_ } ,
time => sub { return $_ } ,
obscure_email => sub { return $_ } ,
+ none => sub { return $_ } ,
},
}
);
# Note: If a single directive prints two things, and only one is
# filtered, we may not catch that case.
return 1 if $directive =~ /FILTER\ (html|csv|js|url_quote|css_class_quote|
- quoteUrls|time|uri|xml|lower)/x;
+ quoteUrls|time|uri|xml|lower|none)/x;
return 0;
}
</tr>
<tr>
<th align="right">Change request expires:</th>
- <td>[% login_change_date %]</td>
+ <td>[% login_change_date FILTER time %]</td>
</tr>
[% ELSE %]
<tr>
</tr>
<tr>
<th align="right">Completion date:</th>
- <td>[% login_change_date %]</td>
+ <td>[% login_change_date FILTER time %]</td>
</tr>
[% END %]
[% ELSE %]
<tr>
<th align="right">Users to watch:</th>
<td>
- <input size="35" name="watchedusers" value="[% watchedusers %]">
+ <input size="35" name="watchedusers"
+ value="[% watchedusers FILTER html %]">
</td>
</tr>
[% END %]
%]
<p>
- There are [% flag_count %] flags of type [% name %].
+ There are [% flag_count %] flags of type [% name FILTER html %].
If you delete this type, those flags will also be deleted. Note that
instead of deleting the type you can
<a href="editflagtypes.cgi?action=deactivate&id=[% flag_type.id %]">deactivate it</a>,
<input type="hidden" name="id" value="[% type.id %]">
<input type="hidden" name="target_type" value="[% type.target_type %]">
[% FOREACH category = type.inclusions %]
- <input type="hidden" name="inclusions" value="[% category %]">
+ <input type="hidden" name="inclusions" value="[% category FILTER html %]">
[% END %]
[% FOREACH category = type.exclusions %]
- <input type="hidden" name="exclusions" value="[% category %]">
+ <input type="hidden" name="exclusions" value="[% category FILTER html %]">
[% END %]
<table id="form" cellspacing="0" cellpadding="4" border="0">
<select name="product" onchange="selectProduct(this.form, 'product', 'component', '__Any__');">
<option value="">__Any__</option>
[% FOREACH item = products %]
- <option value="[% item %]" [% "selected" IF type.product.name == item %]>[% item %]</option>
+ <option value="[% item FILTER html %]"
+ [% "selected" IF type.product.name == item %]>
+ [% item FILTER html %]</option>
[% END %]
</select><br>
<select name="component">
<option value="">__Any__</option>
[% FOREACH item = components %]
- <option value="[% item %]" [% "selected" IF type.component.name == item %]>[% item %]</option>
+ <option value="[% item FILTER html %]"
+ [% "selected" IF type.component.name == item %]>
+ [% item FILTER html %]</option>
[% END %]
</select><br>
<input type="submit" name="categoryAction" value="Include">
<tr>
<th></th>
<td>
- <input type="submit" value="[% (last_action == "enter" || last_action == "copy") ? "Create" : "Save Changes" %]">
+ <input type="submit" value="
+ [% IF (last_action == "enter" || last_action == "copy") %]Create
+ [% ELSE %]Save Changes
+ [% END %]">
</td>
</tr>
[% FOREACH type = types %]
- <tr class="[% type.is_active ? "active" : "inactive" %]">
+ <tr class="[% IF type.is_active %]active[% ELSE %]inactive[% END %]">
<td><a href="editflagtypes.cgi?action=edit&id=[% type.id %]">[% type.name FILTER html %]</a></td>
<td>[% type.description FILTER html %]</td>
<td>
[% IF attachment.flags.size == 0 %]
<i>none</i>
[% ELSE %]
- [% FOR flag = attachment.flags %]
+ [% FOREACH flag = attachment.flags %]
[% IF flag.setter %]
[% flag.setter.nick FILTER html %]:
[% END %]
- [%+ flag.type.name %][% flag.status %]
+ [%+ flag.type.name FILTER html %][% flag.status %]
[%+ IF flag.status == "?" && flag.requestee %]
- ([% flag.requestee.nick %])
+ ([% flag.requestee.nick FILTER html %])
[% END %]<br>
[% END %]
[% END %]
[% FOREACH operation = operations %]
<tr>
<td rowspan="[% operation.changes.size %]" valign="top">
- [% operation.who %]
+ [% operation.who FILTER html %]
</td>
<td rowspan="[% operation.changes.size %]" valign="top">
[% operation.when FILTER time %]
The area where the problem occurs.
To pick the right component, you could use the same one as
similar [% terms.bugs %] you found in your search, or read the full list of
- <a href="describecomponents.cgi?product=[% product %]">component
+ <a href="describecomponents.cgi?product=
+ [% product FILTER url_quote %]">component
descriptions</a> if you need more help.
</p>
<td colspan="2"></td>
</tr>
[% ELSE %]
- <input type="hidden" name="bug_status" value="[% default.bug_status %]">
+ <input type="hidden" name="bug_status"
+ value="[% default.bug_status FILTER html %]">
[% END %]
<tr>
[% PROCESS depthControlToolbar %]
[%# Display the tree of bugs that this bug depends on. %]
-<h3>[% hide_resolved ? "Open $terms.bugs" : "$terms.Bugs" %]
- that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %] [% bugid %]</a> depends on</h3>
+<h3>
+ [% IF hide_resolved %]
+ Open [% terms.bugs %]
+ [% ELSE %]
+ [% terms.Bugs %]
+ [% END %]
+ that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %] [% bugid %]</a>
+ depends on</h3>
[% IF dependson_ids.size > 0 %]
(
[% IF maxdepth -%]Up to [% maxdepth %] level[% "s" IF maxdepth > 1 %] deep | [% END %]
[% END %]
[%# Display the tree of bugs that this bug blocks. %]
-<h3>[% hide_resolved ? "Open $terms.bugs" : "$terms.Bugs" %]
- that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %] [% bugid %]</a> blocks</h3>
+<h3>
+ [% IF hide_resolved %]
+ Open [% terms.bugs %]
+ [% ELSE %]
+ [% terms.Bugs %]
+ [% END %]
+ that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %] [% bugid %]</a>
+ blocks</h3>
[% IF blocked_ids.size > 0 %]
(
[% IF maxdepth -%]Up to [% maxdepth %] level[% "s" IF maxdepth > 1 %] deep | [% END %]
<input name="maxdepth" type="hidden" value="[% maxdepth %]">
[% END %]
<input type="hidden" name="hide_resolved" value="[% hide_resolved ? 0 : 1 %]">
- <input type="submit" value="[% hide_resolved ? "Show" : "Hide" %] Resolved">
+ <input type="submit"
+ value="[% IF hide_resolved %]Show[% ELSE %]Hide[% END %] Resolved">
</form>
</td>
<form method="get" action="showdependencytree.cgi"
style="display: inline; margin: 0px;">
[%# set to one form %]
- <input type="submit" value=" 1 " [%
- realdepth < 2 || maxdepth == 1 ? "disabled" : ""
- %]>
+ <input type="submit" value=" 1 "
+ [% "disabled" IF realdepth < 2 || maxdepth == 1 %]>
<input name="id" type="hidden" value="[% bugid %]">
<input name="maxdepth" type="hidden" value="1">
<input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
: ( maxdepth ? maxdepth - 1 : realdepth - 1 )
%]">
<input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
- <input type="submit" value=" < " [%
- realdepth < 2 || ( maxdepth && maxdepth < 2 ) ? "disabled" : ""
- %]>
+ <input type="submit" value=" < "
+ [% "disabled" IF realdepth < 2 || ( maxdepth && maxdepth < 2 ) %]>
</form>
</td>
<input name="id" type="hidden" value="[% bugid %]">
<input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
<noscript>
- <input type="submit" value="Change" [% realdepth < 2 ? "disabled" : "" %]>
+ <input type="submit" value="Change" [% "disabled" IF realdepth < 2 %]>
</noscript>
</form>
</td>
<input name="maxdepth" type="hidden" value="[% maxdepth + 1 %]">
[% END %]
<input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
- <input type="submit" value=" > " [%
- realdepth < 2 || ! maxdepth || maxdepth >= realdepth ?
- "disabled" : ""
- %]>
+ <input type="submit" value=" > "
+ [% "disabled" IF realdepth < 2 || !maxdepth || maxdepth >= realdepth %]
+ %]>
</form>
</td>
<input name="id" type="hidden" value="[% bugid %]">
<input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
<input type="submit" value=" Unlimited "
- [% maxdepth == 0 || maxdepth == realdepth ? "disabled" : "" %]>
+ [% "disabled" IF maxdepth == 0 || maxdepth == realdepth %]>
</form>
</td>
</tr>
[%############################################################################%]
[% BLOCK emails %]
- <b>[% description %]:</b>
+ <b>[% description FILTER html %]:</b>
[% IF names.size > 0 %]
[%+ FOREACH name = names %]
- [% name %][% ", " UNLESS loop.last() %]
+ [% name FILTER html %][% ", " UNLESS loop.last() %]
[% END %]
[% ELSE %]
no one
<p>
[% IF use_target_milestone %]
- You are moving the [% terms.bug %](s) to the product <b>[% form.product %]</b>,
+ You are moving the [% terms.bug %](s) to the product
+ <b>[% form.product FILTER html %]</b>,
and the version, component, and/or target milestone fields are no longer
correct. Please set the correct version, component, and target milestone now:
[% ELSE %]
- You are moving the [% terms.bug %](s) to the product <b>[% form.product %]</b>,
+ You are moving the [% terms.bug %](s) to the product
+ <b>[% form.product FILTER html %]</b>,
and the version and component fields are no longer correct.
Please set the correct version and component now:
[% END %]
<tr>
<td colspan="2">
<b>Component:</b>
- [% bug.component %]
+ [% bug.component FILTER html %]
</td>
<td colspan="2">
[% BLOCK cell %]
<td>
- <b>[% attr.description%]:</b>
+ <b>[% attr.description FILTER html %]:</b>
[% bug.${attr.name} FILTER html %]
</td>
[% END %]
[% PROCESS global/variables.none.tmpl %]
+[% h2 = voting_user.login FILTER html %]
[% PROCESS global/header.html.tmpl
title = "Show Votes"
- h2 = voting_user.name
%]
[% canedit = 1 IF voting_user.login == user.login %]
# Safe vmethods - [% foo.size %]
# TT loop variables - [% loop.count %]
# Already-filtered stuff - [% wibble FILTER html %]
-# where the filter is one of html|csv|js|url_quote|quoteUrls|time|uri|xml
-
-# Key:
-#
-# "#": directive should be filtered, but not doing so is not a security hole
-# The plan is to come back and add filtering for all those marked "#" after
-# the security release.
-#
-# "# Email": as above; but noting that it's an email address.
-# Other sorts of comments denote cleanups noticed while doing this work;
-# they should be fixed in the very short term.
+# where the filter is one of html|csv|js|url_quote|quoteUrls|time|uri|xml|none
%::safe = (
'field.accesskey',
'sel.name',
'sel.accesskey',
- 'button_name', #
-],
-
-'search/knob.html.tmpl' => [
- 'button_name', #
-],
-
-'search/search-report-graph.html.tmpl' => [
- 'button_name', #
-],
-
-'search/search-report-table.html.tmpl' => [
- 'button_name', #
],
'search/search-specific.html.tmpl' => [
'reports/components.html.tmpl' => [
'numcols',
'comp.description',
- 'comp.initialowner', # email address
- 'comp.initialqacontact', # email address
-],
-
-'reports/duplicates-simple.html.tmpl' => [
- 'title', #
],
'reports/duplicates-table.html.tmpl' => [
'"&maxrows=$maxrows" IF maxrows',
'"&changedsince=$changedsince" IF changedsince',
- '"&product=$product" IF product', #
- '"&format=$format" IF format', #
'"&bug_id=$bug_ids_string&sortvisible=1" IF sortvisible',
'column.name',
'column.description',
'bug.id',
'bug.count',
'bug.delta',
- 'bug.component', #
- 'bug.bug_severity', #
- 'bug.op_sys', #
- 'bug.target_milestone', #
],
'reports/duplicates.html.tmpl' => [
],
'reports/report-table.csv.tmpl' => [
- '"$tbl_field_disp: $tbl\n" IF tbl_field', #
- 'row_field_disp IF row_field', #
- 'col_field_disp', #
'num_bugs',
'data.$tbl.$col.$row',
+ 'title',
'', # This is not a bug in the filter exceptions - this template has an
# empty directive which is necessary for it to work properly.
],
'"&$tbl_vals" IF tbl_vals',
'"&$col_vals" IF col_vals',
'"&$row_vals" IF row_vals',
- 'tbl_disp', #
'classes.$row_idx.$col_idx',
'urlbase',
'data.$tbl.$col.$row',
],
'reports/report.html.tmpl' => [
- 'tbl_field_disp IF tbl_field', #
- 'row_field_disp IF row_field', #
- 'col_field_disp', #
'imagebase',
'width',
'height',
'imageurl',
'formaturl',
'other_format.name',
- 'other_format.description', #
'sizeurl',
'switchbase',
'format',
'list/change-columns.html.tmpl' => [
'column',
- 'field_descs.${column} || column', #
],
'list/edit-multiple.html.tmpl' => [
'list/list.html.tmpl' => [
'buglist',
- 'bugowners', # email address
],
'list/list.rdf.tmpl' => [
],
'list/table.html.tmpl' => [
- 'abbrev.$id.title || field_descs.$id || column.title', #
'tableheader',
'bug.bug_id',
],
'proddesc.$p',
],
+# You are not permitted to add any values here. Everything in this file should
+# be filtered unless there's an extremely good reason why not, in which case,
+# use the "none" dummy filter.
'global/code-error.html.tmpl' => [
- 'parameters',
- 'bug.bug_id',
- 'field',
- 'argument', #
- 'function', #
- 'bug_id', # Need to remove unused error no_bug_data
- 'variables.id',
- 'template_error_msg', # Should move filtering from CGI.pl to template
- 'error',
- 'error_message',
],
-
+
'global/header.html.tmpl' => [
'javascript',
'style',
],
'global/messages.html.tmpl' => [
- 'parameters',
- '# ---', # Work out what this is
- 'namedcmd', #
- 'old_email', # email address
- 'new_email', # email address
'message_tag',
'series.frequency * 2',
],
'global/select-menu.html.tmpl' => [
'options',
- 'onchange', # Again, need to be certain where we are filtering
'size',
],
'global/useful-links.html.tmpl' => [
'email',
- 'user.login', # Email address
],
-# Need to change this and code-error to use a no-op filter, for safety
+# You are not permitted to add any values here. Everything in this file should
+# be filtered unless there's an extremely good reason why not, in which case,
+# use the "none" dummy filter.
'global/user-error.html.tmpl' => [
- 'disabled_reason',
- 'bug_link',
- 'action', #
- 'bug_id',
- 'both',
- 'filesize',
- 'attach_id',
- 'field',
- 'field_descs.$field',
- 'today',
- 'product', #
- 'max',
- 'votes',
- 'error_message',
],
'global/confirm-user-match.html.tmpl' => [
- '# use the global field descs', # Need to fix commenting style here
'script',
- '# this is messy to allow later expansion',
- '# ELSIF for things that don\'t belong in the field_descs hash here',
'fields.${field_name}.flag_type.name',
],
],
'bug/dependency-tree.html.tmpl' => [
- 'hide_resolved ? "Open $terms.bugs" : "$terms.Bugs"',
'bugid',
'maxdepth',
'dependson_ids.join(",")',
'blocked_ids.join(",")',
'dep_id',
'hide_resolved',
- 'realdepth < 2 ? "disabled" : ""',
'maxdepth + 1',
- 'maxdepth == 0 || maxdepth == realdepth ? "disabled" : ""',
- 'realdepth < 2 || ( maxdepth && maxdepth < 2 ) ? "disabled" : ""',
'maxdepth > 0 && maxdepth <= realdepth ? maxdepth : ""',
'maxdepth == 1 ? 1
: ( maxdepth ? maxdepth - 1 : realdepth - 1 )',
- 'realdepth < 2 || ! maxdepth || maxdepth >= realdepth ?
- "disabled" : ""',
],
'bug/edit.html.tmpl' => [
'bug/show-multiple.html.tmpl' => [
'bug.bug_id',
- 'bug.component', #
- 'attr.description', #
],
'bug/show.xml.tmpl' => [
'product.total',
'product.maxvotes',
],
-# h2 = voting_user.name # Email
'bug/process/confirm-duplicate.html.tmpl' => [
'original_bug_id',
'id',
],
-'bug/process/verify-new-product.html.tmpl' => [
- 'form.product', #
-],
-
-'bug/process/bugmail.html.tmpl' => [
- 'description',
- 'name', # Email
-],
-
'bug/create/comment.txt.tmpl' => [
'form.comment',
],
'bug/create/create.html.tmpl' => [
- 'default.bug_status', #
'g.bit',
'g.description',
'sel.name',
'bug/create/create-guided.html.tmpl' => [
'matches.0',
'tablecolour',
- 'product', #
'buildid',
'sel',
],
],
'bug/activity/table.html.tmpl' => [
- 'operation.who', # Email
'change.attachid',
'change.field',
],
'attachment/list.html.tmpl' => [
'attachment.attachid',
- 'FOR flag = attachment.flags', # Bug? No FOR directive
- 'flag.type.name',
'flag.status',
- 'flag.requestee.nick', # Email
'bugid',
],
'admin/flag-type/confirm-delete.html.tmpl' => [
'flag_count',
- 'name', #
'flag_type.id',
],
'action',
'type.id',
'type.target_type',
- 'category', #
- 'item', #
'type.sortkey || 1',
- '(last_action == "enter" || last_action == "copy") ? "Create" : "Save Changes"',
'typeLabelLowerPlural',
'typeLabelLowerSingular',
],
'target',
],
-'account/prefs/account.html.tmpl' => [
- 'login_change_date', #
-],
-
'account/prefs/email.html.tmpl' => [
- 'watchedusers', # Email
'role',
'reason.name',
'reason.description',
],
);
-
-# Should filter reports/report.html.tmpl:130 $format
[%# This is a list of all the possible code errors. Please keep them in
# alphabetical order by error tag, and leave a blank line between errors.
+ #
+ # Note that you must explicitly filter every single template variable
+ # in this file; if you do not wish to change it, use the "none" filter.
#%]
[% PROCESS global/variables.none.tmpl %]
[% DEFAULT title = "Internal Error" %]
[% error_message = BLOCK %]
- [% IF error == "aaa_example_error_tag" %]
- [% title = "Example Error" %]
- This is an example error. The title is set above. This text is the body
- of the error. It can contain arbitrary <b>HTML</b>, and also references
- to any [% parameters %] which you may have set before calling
- ThrowCodeError.
-
- [% ELSIF error == "action_unrecognized" %]
+ [% IF error == "action_unrecognized" %]
I don't recognize the value (<em>[% variables.action FILTER html %]</em>)
of the <em>action</em> variable.
An authorization handler return value was not handled by the login code.
[% ELSIF error == "bug_error" %]
- Trying to retrieve [% terms.bug %] [%+ bug.bug_id %] returned the error
- [% bug.error FILTER html %]
+ Trying to retrieve [% terms.bug %] [%+ bug.bug_id FILTER html %] returned
+ the error [% bug.error FILTER html %].
[% ELSIF error == "chart_data_not_generated" %]
The tool which gathers [% terms.bug %] counts has not been run yet.
Run checksetup.pl for installation instructions.
[% ELSIF error == "field_type_mismatch" %]
- Cannot seem to handle <code>[% field %]</code>
+ Cannot seem to handle <code>[% field FILTER html %]</code>
and <code>[% type FILTER html %]</code> together.
[% ELSIF error == "gd_not_installed" %]
'[% bit FILTER html %]'.
[% ELSIF error == "bad_arg" %]
- Bad argument <code>[% argument %]</code> sent to
- <code>[% function %]</code> function.
+ Bad argument <code>[% argument FILTER html %]</code> sent to
+ <code>[% function FILTER html %]</code> function.
[% ELSIF error == "invalid_attach_id_to_obsolete" %]
The attachment number of one of the attachments you wanted to obsolete,
but you tried to flag it as obsolete while creating a new attachment to
[% terms.bug %] [%+ my_bug_id FILTER html %].
- [% ELSIF error == "no_bug_data" %]
- No data when fetching [% terms.bug %] [%+ bug_id %].
-
[% ELSIF error == "flag_nonexistent" %]
- There is no flag with ID #[% variables.id %].
+ There is no flag with ID #[% variables.id FILTER html %].
[% ELSIF error == "flag_status_invalid" %]
The flag status <em>[% variables.status FILTER html %]</em> is invalid.
a positive integer.
[% ELSIF error == "flag_type_nonexistent" %]
- There is no flag type with the ID <em>[% variables.id %]</em>.
+ There is no flag type with the ID <em>[% variables.id FILTER html %]</em>.
[% ELSIF error == "flag_type_product_nonexistent" %]
The product <em>[% variables.product FILTER html %]</em> does not exist.
Something is seriously wrong with the token generation system.
[% ELSIF error == "template_error" %]
- [% template_error_msg %]
+ [% template_error_msg FILTER html %]
[% ELSIF error == "unable_to_retrieve_password" %]
I was unable to retrieve your old password from the database.
[% ELSE %]
[%# Give sensible error if error functions are used incorrectly.
#%]
- You are using [% terms.Bugzilla %]'s ThrowCodeError() function incorrectly. You
- passed in the string '[% error %]'. The correct use is to pass
- in a tag, and define that tag in the file code-error.html.tmpl.<br>
+ You are using [% terms.Bugzilla %]'s ThrowCodeError() function incorrectly.
+ You passed in the string '[% error FILTER html %]'. The correct use is to
+ pass in a tag, and define that tag in the file code-error.html.tmpl.<br>
<br>
If you are a [% terms.Bugzilla %] end-user seeing this message, please save this
page and send it to [% Param('maintainer') %].
<tr>
<td bgcolor="#ff0000">
<font size="+2">
- [% error_message %]
+ [% error_message FILTER none %]
</font>
</td>
</tr>
# self-referential URL
#%]
-[% # use the global field descs %]
+[%# use the global field descs %]
[% PROCESS "global/field-descs.none.tmpl" %]
[% IF matchsuccess == 1 %]
</td>
</tr>
- [% # this is messy to allow later expansion %]
+ [%# this is messy to allow later expansion %]
[% FOREACH field = matches %]
<tr>
[% IF field_descs.${field_name} %]
[% field_descs.${field_name} FILTER html -%]
- [%- # ELSIF for things that don't belong in the field_descs hash here -%]
+ [%-# ELSIF for things that don't belong in the field_descs hash here -%]
[% ELSIF field_name.match("^requestee") %]
[% fields.${field_name}.flag_type.name %] requestee
[% message_tag = message %]
[% message = BLOCK %]
- [% IF message_tag == "aaa_example_message_tag" %]
- [% title = "Example Message" %]
- This is an example message. The title is set above. This text is the body
- of the message. It can contain arbitrary <b>HTML</b>, and also references
- to any [% parameters %] which you may have set.
-
- [% ELSIF message_tag == "buglist_adding_field" %]
+ [% IF message_tag == "buglist_adding_field" %]
[% title = "Adding field to query page..." %]
[% link = "Click here if the page does not redisplay automatically." %]
- [% # --- %]
[% ELSIF message_tag == "buglist_load_named_query" %]
- [% title = BLOCK %]Loading your query named [% namedcmd %][% END %]
+ [% title = BLOCK %]
+ Loading your query named [% namedcmd FILTER html %]
+ [% END %]
[% link = "Click here if the page does not redisplay automatically." %]
- [% # --- %]
[% ELSIF message_tag == "buglist_updated_named_query" %]
OK, your query named <code>[% queryname FILTER html %]</code> is updated.
[% ELSIF message_tag == "email_change_cancelled_reinstated" %]
[% title = "Cancel Request to Change Email Address" %]
The request to change the email address for the
- [% old_email %] account to [% new_email %] has been cancelled.
- Your old account settings have been reinstated.
+ [% old_email FILTER html %] account to
+ [% new_email FILTER html %] has been cancelled.
+ Your old account settings have been reinstated.
[% ELSIF message_tag == "logged_out" %]
[% title = "Logged Out" %]
[% options_type = BLOCK %][% options %][% END %]
<select name="[% name FILTER html %]"
- [% IF onchange %]onchange="[% onchange %]"[% END %]
+ [% IF onchange %]onchange="[% onchange FILTER html %]"[% END %]
[% IF multiple %] multiple [% IF size %] size="[% size %]" [% END %] [% END %]>
[% IF options_type.search("ARRAY") %]
[% FOREACH value = options %]
[% ' | <a href="sanitycheck.cgi">Sanity check</a>'
IF user.groups.tweakparams %]
- | <a href="relogin.cgi">Log out</a> [% user.login %]
+ | <a href="relogin.cgi">Log out</a>
+ [% user.login FILTER html %]
</td>
</tr>
[%# This is a list of all the possible user errors. Please keep them in
# alphabetical order by error tag, and leave a blank line between errors.
+ #
+ # Note that you must explicitly filter every single template variable
+ # in this file; if you do not wish to change it, use the "none" filter.
#%]
[% PROCESS global/variables.none.tmpl %]
[% ELSIF error == "account_disabled" %]
[% title = "Account Disabled" %]
- [% disabled_reason %]
+ [% disabled_reason FILTER none %]
<hr>
If you believe your account should be restored, please
send email to [% Param("maintainer") %] explaining why.
[% ELSIF error == "alias_in_use" %]
[% title = "Alias In Use" %]
- [% bug_link %] has already taken the alias
+ [% bug_link FILTER none %] has already taken the alias
<em>[% alias FILTER html %]</em>. Please choose another one.
[% ELSIF error == "alias_is_numeric" %]
[% ELSIF error == "authorization_failure" %]
[% title = "Authorization Failed" %]
- You are not allowed to [% action %].
+ You are not allowed to [% action FILTER html %].
[% ELSIF error == "attachment_access_denied" %]
[% title = "Access Denied" %]
[% ELSIF error == "bug_access_denied" %]
[% title = "Access Denied" %]
- You are not authorized to access [% terms.bug %] #[% bug_id %].
+ You are not authorized to access [% terms.bug %] #[% bug_id FILTER html %].
[% ELSIF error == "bug_access_query" %]
[% title = "Access Denied" %]
- You are not authorized to access [% terms.bug %] #[% bug_id %]. To see
- this [% terms.bug %], you must
- first <a href="show_bug.cgi?id=[% bug_id %]&GoAheadAndLogIn=1">log
+ You are not authorized to access [% terms.bug %] #[% bug_id FILTER html %].
+ To see this [% terms.bug %], you must
+ first <a href="show_bug.cgi?id=
+ [% bug_id FILTER url_quote %]&GoAheadAndLogIn=1">log
in to an account</a> with the appropriate permissions.
[% ELSIF error == "buglist_parameters_required" %]
[% title = "Dependency Loop Detected" %]
The following [% terms.bug %](s) would appear on both the "depends on"
and "blocks" parts of the dependency tree if these changes
- are committed: [% both %]. This would create a circular
+ are committed: [% both FILTER none %]. This would create a circular
dependency, which is not allowed.
[% ELSIF error == "dependency_loop_single" %]
[% ELSIF error == "file_too_large" %]
[% title = "File Too Large" %]
- The file you are trying to attach is [% filesize %] kilobytes (KB) in size.
+ The file you are trying to attach is [% filesize FILTER html %]
+ kilobytes (KB) in size.
Non-patch attachments cannot be more than [% Param('maxattachmentsize') %]
KB.
If your attachment is an image, try converting it to a compressable
[% title = "Flag Requestee Not Authorized" %]
You asked [% requestee.identity FILTER html %]
- for <code>[% flag_type.name FILTER html %]</code> on [% terms.bug %] [% bug_id -%]
- [% IF attach_id %], attachment [% attach_id %][% END %], but that [% terms.bug %]&bnsp;
+ for <code>[% flag_type.name FILTER html %]</code> on [% terms.bug %]
+ [% bug_id FILTER html -%]
+ [% IF attach_id %], attachment [% attach_id FILTER html %][% END %],
+ but that [% terms.bug %]&bnsp;
has been restricted to users in certain groups, and the user you asked
isn't in all the groups to which the [% terms.bug %] has been restricted.
Please choose someone else to ask, or make the [% terms.bug %] accessible to users
[% title = "Flag Requestee Not Authorized" %]
You asked [% requestee.identity FILTER html %]
- for <code>[% flag_type.name FILTER html %]</code> on [% terms.bug %] [% bug_id %],
- attachment [% attach_id %], but that attachment is restricted to users
+ for <code>[% flag_type.name FILTER html %]</code> on
+ [% terms.bug %] [% bug_id FILTER html %],
+ attachment [% attach_id FILTER html %], but that attachment is restricted
+ to users
in the [% Param("insidergroup") FILTER html %] group, and the user
you asked isn't in that group. Please choose someone else to ask,
or ask an administrator to add the user to the group.
[% ELSIF error == "illegal_attachment_edit" %]
[% title = "Unauthorised Action" %]
- You are not authorised to edit attachment [% attach_id %].
+ You are not authorised to edit attachment [% attach_id FILTER html %].
[% ELSIF error == "illegal_attachment_edit_bug" %]
[% title = "Unauthorised Action" %]
- You are not authorised to edit attachments on [% terms.bug %] [%+ bug_id %].
+ You are not authorised to edit attachments on [% terms.bug %]
+ [%+ bug_id FILTER html %].
[% ELSIF error == "illegal_attachment_is_patch" %]
[% title = "Your Query Makes No Sense" %]
[% ELSIF error == "illegal_change" %]
[% title = "Not allowed" %]
- You tried to change the <strong>[% field %]</strong> field
+ You tried to change the
+ <strong>[% field_descs.$field FILTER html %]</strong> field
from <em>[% oldvalue FILTER html %]</em> to
<em>[% newvalue FILTER html %]</em>,
but only the owner or submitter of the [% terms.bug %], or a
[% ELSIF error == "invalid_bug_id_non_existent" %]
[% title = BLOCK %]Invalid [% terms.Bug %] ID[% END %]
- [% terms.Bug %] #[% bug_id %] does not exist.
+ [% terms.Bug %] #[% bug_id FILTER html %] does not exist.
[% ELSIF error == "invalid_bug_id_or_alias" %]
[% title = BLOCK %]Invalid [% terms.Bug %] ID[% END %]
[% ELSIF error == "milestone_required" %]
[% title = "Milestone Required" %]
- You must determine a target milestone for [% terms.bug %] [%+ bug_id %]
+ You must determine a target milestone for [% terms.bug %]
+ [%+ bug_id FILTER html %]
if you are going to accept it. Part of accepting
[% terms.abug %] is giving an estimate of when it will be fixed.
[% ELSIF error == "need_positive_number" %]
[% title = "Positive Number Required" %]
- The <em>[% field_descs.$field %]</em> field requires a positive number.
+ The <em>[% field_descs.$field FILTER html %]</em> field requires a positive
+ number.
[% ELSIF error == "need_product" %]
[% title = "Product Required" %]
[% ELSIF error == "no_dupe_stats" %]
[% title = "Cannot Find Duplicate Statistics" %]
- There are no duplicate statistics for today ([% today %]) or yesterday.
+ There are no duplicate statistics for today ([% today FILTER html %])
+ or yesterday.
[% ELSIF error == "no_dupe_stats_error_today" %]
[% title = "Error Reading Today's Dupes File" %]
[% ELSIF error == "no_dupe_stats_error_yesterday" %]
[% title = "Error Reading Yesterday's Dupes File" %]
- There are no duplicate statistics for today ([% today %]), and an error
+ There are no duplicate statistics for today ([% today FILTER html %]),
+ and an error
occurred opening yesterday's dupes file: [% error_msg FILTER html %].
[% ELSIF error == "no_html_in_quips" %]
[% ELSIF error == "patch_too_large" %]
[% title = "File Too Large" %]
- The file you are trying to attach is [% filesize %] kilobytes (KB) in size.
+ The file you are trying to attach is [% filesize FILTER html %]
+ kilobytes (KB) in size.
Patches cannot be more than [% Param('maxpatchsize') %] KB in size.
Try breaking your patch into several pieces.
[% ELSIF error == "product_edit_denied" %]
[% title = "Product Edit Access Denied" %]
- You are not permitted to edit [% terms.bugs %] in product [% product %].
+ You are not permitted to edit [% terms.bugs %] in product
+ [% product FILTER html %].
[% ELSIF error == "query_name_missing" %]
[% title = "No Query Name Specified" %]
[% ELSIF error == "too_many_votes_for_bug" %]
[% title = "Illegal Vote" %]
- You may only use at most [% max %] votes for a single [% terms.bug %] in the
+ You may only use at most [% max FILTER html %] votes for a single
+ [%+ terms.bug %] in the
<tt>[% prod FILTER html %]</tt> product, but you are trying to use
- [% votes %].
+ [% votes FILTER html %].
[% ELSIF error == "too_many_votes_for_product" %]
[% title = "Illegal Vote" %]
- You may only use at most [% max %] votes for [% terms.bugs %] in the
+ You may only use at most [% max FILTER html %] votes for [% terms.bugs %]
+ in the
<tt>[% prod FILTER html %]</tt> product, but you are trying to use
- [% votes %].
+ [% votes FILTER html %].
[% ELSIF error == "token_inexistent" %]
[% title = "Token Does Not Exist" %]
[% ELSIF error == "value_out_of_range" %]
[% title = "Value Out Of Range" %]
- Value is out of range for field <em>[% field_descs.$field %]</em>.
+ Value is out of range for field
+ <em>[% field_descs.$field FILTER html %]</em>.
[% ELSIF error == "zero_length_file" %]
[% title = "File Is Empty" %]
<tr>
<td bgcolor="#ff0000">
<font size="+2">
- [% error_message %]
+ [% error_message FILTER none %]
</font>
</td>
</tr>
[% FOREACH column = masterlist %]
<input type="checkbox" id="[% column %]" name="column_[% column %]"
[% "checked='checked'" IF lsearch(collist, column) != -1 %]>
- <label for="[% column %]">[% field_descs.${column} || column %]</label>
+ <label for="[% column %]">
+ [% (field_descs.${column} || column) FILTER html %]
+ </label>
<br>
[% END %]
[% END %]
[% IF bugowners %]
- <a href="mailto:[% bugowners %]">Send Mail to [% terms.Bug %] Owners</a>
+ <a href="mailto:[% bugowners FILTER html %]">Send
+ Mail to [% terms.Bug %] Owners</a>
+
[% END %]
<a href="query.cgi?
<a name="[% comp.name FILTER html %]">[% comp.name FILTER html %]</a>
</td>
<td>
- <a href="mailto:[% comp.initialowner %][% Param('emailsuffix') %]">
+ <a href="mailto:[% comp.initialowner FILTER html %]
+ [% Param('emailsuffix') %]">
[% comp.initialowner FILTER html %]</a>
</td>
[% IF Param("useqacontact") %]
<td>
- <a href="mailto:[% comp.initialqacontact %][% Param('emailsuffix') %]">
- [% comp.initialqacontact %]</a>
+ <a href="mailto:[% comp.initialqacontact FILTER html %]
+ [% Param('emailsuffix') %]">
+ [% comp.initialqacontact FILTER html %]</a>
</td>
[% END %]
</tr>
[% END%]
<head>
- <title>[% title %]</title>
+ <title>[% title FILTER html %]</title>
</head>
<body>
[% bug_ids_string = bug_ids.join(',') %]
<a href="duplicates.cgi?sortby=[% column.name %]
[% IF sortby == column.name %]
- [% "&reverse=1" IF NOT reverse %]
+ [% "&reverse=1" IF NOT reverse %]
[% ELSE %]
[%-# Some columns start off reversed %]
- [% "&reverse=1" IF column.name.match('delta|count') %]
+ [% "&reverse=1" IF column.name.match('delta|count') %]
[% END %]
- [% "&maxrows=$maxrows" IF maxrows %]
- [% "&changedsince=$changedsince" IF changedsince %]
- [% "&openonly=1" IF openonly %]
- [% "&product=$product" IF product %]
- [% "&format=$format" IF format %]
- [% "&bug_id=$bug_ids_string&sortvisible=1" IF sortvisible %]">
+ [% "&maxrows=$maxrows" IF maxrows %]
+ [% "&changedsince=$changedsince" IF changedsince %]
+ [% "&openonly=1" IF openonly %]
+ [% IF product %]&product=[% product FILTER html %][% END %]
+ [% IF format %]&format=[% format FILTER html %][% END %]
+ [% "&bug_id=$bug_ids_string&sortvisible=1"
+ IF sortvisible %]">
[% column.description %]</a>
</b>
</center>
<td><center>[% bug.delta %]</center></td>
[% END %]
- <td>[% bug.component %]</td>
- <td><center>[% bug.bug_severity %]</center></td>
- <td><center>[% bug.op_sys %]</center></td>
- <td><center>[% bug.target_milestone %]</center></td>
+ <td>[% bug.component FILTER html %]</td>
+ <td><center>[% bug.bug_severity FILTER html %]</center></td>
+ <td><center>[% bug.op_sys FILTER html %]</center></td>
+ <td><center>[% bug.target_milestone FILTER html %]</center></td>
<td>[% bug.short_desc FILTER html %]</td>
</tr>
[% END %]
[% row_field_disp = field_descs.$row_field || row_field %]
[% title = BLOCK %]
- [% "$tbl_field_disp: $tbl\n" IF tbl_field %]
- [% row_field_disp IF row_field %]
+ [% IF tbl_field %]
+ [% tbl_field_disp FILTER csv %]: [% tbl FILTER csv %]
+
+ [% END %]
+ [% IF row_field %]
+ [% row_field_disp FILTER csv %]
+ [% END %]
[% " / " IF col_field AND row_field %]
- [% col_field_disp %]
+ [% col_field_disp FILTER csv %]
[% END %]
-[% title FILTER csv %],
+[% title %],
[% IF col_field -%]
[% FOREACH col = col_names -%]
[% col FILTER csv -%],
<td>
</td>
<td align="center">
- <h2>[% tbl_disp %]</h2>
+ <h2>[% tbl_disp FILTER html %]</h2>
</td>
</tr>
[% END %]
[% title = BLOCK %]
Report:
- [% tbl_field_disp IF tbl_field %]
+ [% IF tbl_field %]
+ [% tbl_field_disp FILTER html %]
+ [% END %]
[% " / " IF tbl_field AND (col_field OR row_field) %]
- [% row_field_disp IF row_field %]
+ [% IF row_field %]
+ [% row_field_disp FILTER html %]
+ [% END %]
[% " / " IF col_field AND row_field %]
- [% col_field_disp %]
+ [% col_field_disp FILTER html %]
[% END %]
[% PROCESS global/header.html.tmpl
[% UNLESS other_format.name == format %]
<a href="[% formaturl %]&format=[% other_format.name %]">
[% END %]
- [% other_format.description %]
+ [% other_format.description FILTER html %]
[% "</a>" UNLESS other_format.name == format %] |
[% END %]
<a href="[% formaturl %]&ctype=csv&format=table">CSV</a>
</td>
- [% sizeurl = "report.cgi?$switchbase&action=wrap&format=$format" %]
+ [% sizeurl = BLOCK %]report.cgi?
+ [% switchbase %]&action=wrap&format=
+ [% format FILTER html %][% END %]
<td align="center">
<a href="[% sizeurl %]&width=[% width %]&height=
[% height + 100 %]">Taller</a><br>
value="[% default.short_desc.0 FILTER html %]">
</td>
<td>
- <input type="submit" value="[% button_name %]">
+ <input type="submit" value="[% button_name FILTER html %]">
</td>
</tr>
[% END %]
</select>
- <input type="submit" value="[% button_name %]">
+ <input type="submit" value="[% button_name FILTER html %]">
[% IF userdefaultquery %]
<p>
[% PROCESS search/form.html.tmpl %]
<br>
-<input type="submit" value="[% button_name %]">
+<input type="submit" value="[% button_name FILTER html %]">
<input type="hidden" name="action" value="wrap">
<hr>
[% PROCESS search/form.html.tmpl %]
<br>
-<input type="submit" value="[% button_name %]">
+<input type="submit" value="[% button_name FILTER html %]">
<input type="hidden" name="format" value="table">
<input type="hidden" name="action" value="wrap">
<hr>
projects / thirdparty / bugzilla.git / commitdiff
