Bug 790296 (CVE-2012-4189): [SECURITY] Field values are not escaped correctly in...

r=dkl a=LpSolit

diff --git a/report.cgi b/report.cgi
index cc43e66e43dd3db2410bbd036b536218c27695c4..5d5033b7df9b74b02e378be39085549bc280e9b5 100755 (executable)
--- a/report.cgi
+++ b/report.cgi
@@ -354,5 +354,5 @@ sub get_field_restrictions {
     my $field = shift;
     my $cgi = Bugzilla->cgi;
 
-    return join('&', map {"$field=$_"} $cgi->param($field));
+    return join('&', map {url_quote($field) . '=' . url_quote($_)} $cgi->param($field));
 }

diff --git a/template/en/default/reports/report-table.html.tmpl b/template/en/default/reports/report-table.html.tmpl
index 8a3ab95242dfd7e9fff3bd28c0658dfe17340373..b41753550d0d53c5cda802b11d8257068f619637 100644 (file)
--- a/template/en/default/reports/report-table.html.tmpl
+++ b/template/en/default/reports/report-table.html.tmpl
@@ -102,7 +102,7 @@ YAHOO.util.Event.addListener(window, "load", function() {
   var myColumnDefs = [
         {key:"row_title", label:"", sortable:true, sortOptions: { sortFunction:totalNumberSorter }},
         [% FOREACH col = col_names %]
-          {key:"[% col FILTER js %]", label:"[% display_value(col_field, col) FILTER js %]", sortable:true,
+          {key:"[% col FILTER js %]", label:"[% display_value(col_field, col) FILTER html FILTER js %]", sortable:true,
            formatter:this.Linkify, sortOptions: { defaultDir: YAHOO.widget.DataTable.CLASS_DESC, sortFunction:totalNumberSorter }},
         [% END %]
         {key:"total", label:"Total", sortable:true, formatter:this.LinkifyTotal,