Bug 351994: Messages shouldn't contain HTML characters unless we're in USAGE_MODE_BROWSER

Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=ghendricks, a=myk

diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index b54c4a0f20ca2860c2508e0410f9199990f21890..7149828efa8ac73009ddb3824222bb6f15ffd6a5 100644 (file)
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -760,6 +760,22 @@ sub create {
                      1
                      ],
 
+            # Note that using this filter is even more dangerous than
+            # using "none," and you should only use it when you're SURE
+            # the output won't be displayed directly to a web browser.
+            txt => sub {
+                my ($var) = @_;
+                # Trivial HTML tag remover
+                $var =~ s/<[^>]*>//g;
+                # And this basically reverses the html filter.
+                $var =~ s/\&#64;/@/g;
+                $var =~ s/\&lt;/</g;
+                $var =~ s/\&gt;/>/g;
+                $var =~ s/\&quot;/\"/g;
+                $var =~ s/\&amp;/\&/g;
+                return $var;
+            },
+
             # Wrap a displayed comment to the appropriate length
             wrap_comment => \&Bugzilla::Util::wrap_comment,
 

diff --git a/t/008filter.t b/t/008filter.t
index 02d4d4a7e919bc2679b4d7dfba3cc6c0c7ad3ffa..66f4b7c976a58e97b62cb1320ca4b6acdcbd3924 100644 (file)
--- a/t/008filter.t
+++ b/t/008filter.t
@@ -225,7 +225,7 @@ sub directive_ok {
     return 1 if $directive =~ /FILTER\ (html|csv|js|base64|url_quote|css_class_quote|
                                         ics|quoteUrls|time|uri|xml|lower|
                                         obsolete|inactive|closed|unitconvert|
-                                        none)\b/x;
+                                        txt|none)\b/x;
 
     return 0;
 }

diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index 63ce0ffab92e7060ffa6fef9799ce91dcd6b1f69..f6ccae7548e170aea37a7be860c4e184ec8b2230 100644 (file)
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -434,7 +434,11 @@
 [%# We only want HTML error messages for ERROR_MODE_WEBPAGE %]
 [% USE Bugzilla %]
 [% IF Bugzilla.error_mode != constants.ERROR_MODE_WEBPAGE %]
-  [% error_message FILTER none %]
+  [% IF Bugzilla.usage_mode == constants.USAGE_MODE_BROWSER %]
+    [% error_message FILTER none %]
+  [% ELSE %]
+    [% error_message FILTER txt %]
+  [% END %]
   [% RETURN %]
 [% END %]
 

diff --git a/template/en/default/global/message.txt.tmpl b/template/en/default/global/message.txt.tmpl
index fc0ec197747b6769ed9ba7bc25a89b8eee0347d1..e8ec1e5104890222c1d86b994ab5864001c4bb00 100644 (file)
--- a/template/en/default/global/message.txt.tmpl
+++ b/template/en/default/global/message.txt.tmpl
@@ -23,4 +23,4 @@
 [%# Yes, this may show some HTML. But it's the best we
   # can do at the moment. %]
 [% PROCESS global/messages.html.tmpl %]
-[% message %]
+[% message FILTER txt %]

diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index a9706376b12af884e0f5bd81488764c57ec3db2d..646da5f753eebde8949f874dcb739cd3c90641f6 100644 (file)
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1483,7 +1483,11 @@
 [%# We only want HTML error messages for ERROR_MODE_WEBPAGE %]
 [% USE Bugzilla %]
 [% IF Bugzilla.error_mode != constants.ERROR_MODE_WEBPAGE %]
-  [% error_message FILTER none %]
+  [% IF Bugzilla.usage_mode == constants.USAGE_MODE_BROWSER %]
+    [% error_message FILTER none %]
+  [% ELSE %]
+    [% error_message FILTER txt %]
+  [% END %]
   [% RETURN %]
 [% END %]