$ctype ||= 'html';
$format ||= '';
- # Security - allow letters and a hyphen only
- $ctype =~ s/[^a-zA-Z\-]//g;
- $format =~ s/[^a-zA-Z\-]//g;
+ # ctype and format can have letters and a hyphen only.
+ if ($ctype =~ /[^a-zA-Z\-]/ || $format =~ /[^a-zA-Z\-]/) {
+ ThrowUserError('format_not_found', {'format' => $format,
+ 'ctype' => $ctype,
+ 'invalid' => 1});
+ }
trick_taint($ctype);
trick_taint($format);
return
{
'template' => $template,
+ 'format' => $format,
'extension' => $ctype,
'ctype' => Bugzilla::Constants::contenttypes->{$ctype}
};
my $user = Bugzilla->login();
+my $format = $template->get_format("bug/show", scalar $cgi->param('format'),
+ scalar $cgi->param('ctype'));
+
# Editable, 'single' HTML bugs are treated slightly specially in a few places
-my $single = !$cgi->param('format')
- && (!$cgi->param('ctype') || $cgi->param('ctype') eq 'html');
+my $single = !$format->{format} && $format->{extension} eq 'html';
# If we don't have an ID, _AND_ we're only doing a single bug, then prompt
if (!$cgi->param('id') && $single) {
exit;
}
-my $format = $template->get_format("bug/show", scalar $cgi->param('format'),
- scalar $cgi->param('ctype'));
-
my (@bugs, @illegal_bugs);
my %marks;
print $cgi->header($format->{'ctype'});
-$template->process("$format->{'template'}", $vars)
+$template->process($format->{'template'}, $vars)
|| ThrowTemplateError($template->error());
[% title = "Format Not Found" %]
The requested format <em>[% format FILTER html %]</em> does not exist with
a content type of <em>[% ctype FILTER html %]</em>.
-
+ [% IF invalid %]
+ Both parameters must contain letters and hyphens only.
+ [% END %]
+
[% ELSIF error == "flag_type_sortkey_invalid" %]
[% title = "Flag Type Sort Key Invalid" %]
The sort key <em>[% sortkey FILTER html %]</em> must be an integer
projects / thirdparty / bugzilla.git / commitdiff
