Bug 842063: HTML injection is possible using the bug alias

author Frédéric Buclin <LpSolit@gmail.com>

Mon, 18 Feb 2013 12:26:51 +0000 (13:26 +0100)

committer Frédéric Buclin <LpSolit@gmail.com>

Mon, 18 Feb 2013 12:26:51 +0000 (13:26 +0100)
author Frédéric Buclin <LpSolit@gmail.com>
Mon, 18 Feb 2013 12:26:51 +0000 (13:26 +0100)
committer Frédéric Buclin <LpSolit@gmail.com>
Mon, 18 Feb 2013 12:26:51 +0000 (13:26 +0100)
diff --git a/template/en/default/bug/show-header.html.tmpl b/template/en/default/bug/show-header.html.tmpl

index 54d51dd4f3fed954441c86d3b4a39924782e8827..f67bbf2f88ba2ed432e73f157b3e5e568f90ad7a 100644 (file)
--- a/template/en/default/bug/show-header.html.tmpl
+++ b/template/en/default/bug/show-header.html.tmpl
@@ -13,12 +13,14 @@
    # be overridden by the calling templates.
    #%]
  
+[% filtered_alias = bug.alias FILTER html %]
  [% filtered_desc = bug.short_desc FILTER html %]
-[% subheader = filtered_desc %]
  [% filtered_timestamp = bug.delta_ts FILTER time %]
+
+[% subheader = filtered_desc %]
  [% title = "$terms.Bug $bug.bug_id &ndash; " %]
  [% IF bug.alias != '' %]
-  [% title = title _ "($bug.alias) " %]
+  [% title = title _ "($filtered_alias) " %]
  [% END %]
  [% title = title _ filtered_desc %]
  [% yui = ['autocomplete', 'calendar'] %]
author	Frédéric Buclin <LpSolit@gmail.com>
	Mon, 18 Feb 2013 12:26:51 +0000 (13:26 +0100)
committer	Frédéric Buclin <LpSolit@gmail.com>
	Mon, 18 Feb 2013 12:26:51 +0000 (13:26 +0100)