Bug 926085: Forbird single quotes to delimit URLs (no <a href='...'>)

r=dkl a=glob

diff --git a/t/004template.t b/t/004template.t
index 298bb52c06e0a46bdf758197c02d1559c9ac2dc8..604559dc0bac849825f307890f930a71d302574b 100644 (file)
--- a/t/004template.t
+++ b/t/004template.t
@@ -20,7 +20,7 @@ use CGI qw(-no_debug);
 
 use File::Spec;
 use Template;
-use Test::More tests => ( scalar(@referenced_files) + $num_actual_files );
+use Test::More tests => ( scalar(@referenced_files) + 2 * $num_actual_files );
 
 # Capture the TESTOUT from Test::More or Test::Builder for printing errors.
 # This will handle verbosity for us automatically.
@@ -104,6 +104,20 @@ foreach my $include_path (@include_paths) {
             ok(0, "$path has bad syntax --ERROR");
             print $fh $data . "\n";
         }
+
+        # Make sure no forbidden constructs are present.
+        local $/;
+        open(FILE, '<', $path) or die "Can't open $file: $!\n";
+        $data = <FILE>;
+        close (FILE);
+
+        # Forbid single quotes to delimit URLs, see bug 926085.
+        if ($data =~ /href=\\?'/) {
+            ok(0, "$path contains blacklisted constructs: href='...'");
+        }
+        else {
+            ok(1, "$path contains no blacklisted constructs");
+        }
     }
 }
 

diff --git a/template/en/default/admin/params/attachment.html.tmpl b/template/en/default/admin/params/attachment.html.tmpl
index 6e03019089465ba8a4b321fd7b79b0ce30387dc5..c0c32a4d5d96c76e3e24a236786f7942abfe281f 100644 (file)
--- a/template/en/default/admin/params/attachment.html.tmpl
+++ b/template/en/default/admin/params/attachment.html.tmpl
@@ -50,13 +50,13 @@
   maxattachmentsize => "The maximum size (in kilobytes) of attachments to be stored " _
                        "in the database. If a file larger than this size is attached " _
                        "to ${terms.abug}, $terms.Bugzilla will look at the " _
-                       "<a href='#maxlocalattachment'><tt>maxlocalattachment</tt> parameter</a> " _
+                       "<a href=\"#maxlocalattachment\"><tt>maxlocalattachment</tt> parameter</a> " _
                        "to determine if the file can be stored locally on the web server. " _
                        "If the file size exceeds both limits, then the attachment is rejected. " _
                        "Settings both parameters to 0 will prevent attaching files to ${terms.bugs}.",
 
   maxlocalattachment => "The maximum size (in megabytes) of attachments to be stored " _
                         "locally on the web server. If set to a value lower than the " _
-                        "<a href='#maxattachmentsize'><tt>maxattachmentsize</tt> parameter</a>, " _
+                        "<a href=\"#maxattachmentsize\"><tt>maxattachmentsize</tt> parameter</a>, " _
                         "attachments will never be kept on the local filesystem." }
 %]

diff --git a/template/en/default/admin/params/auth.html.tmpl b/template/en/default/admin/params/auth.html.tmpl
index 38090915e5bd08c926932829a3984df26dc9d01b..0a72938ca4a547c5db47b8b5b40c41e703bc2a9f 100644 (file)
--- a/template/en/default/admin/params/auth.html.tmpl
+++ b/template/en/default/admin/params/auth.html.tmpl
@@ -97,7 +97,7 @@
     "This defines the regular expression to use for legal email addresses. " _
     "The default tries to match fully qualified email addresses. " _
     "Use <tt>.*</tt> to accept any email address following the " _
-    "<a href='http://tools.ietf.org/html/rfc2822#section-3.4.1'>RFC 2822</a> " _
+    "<a href=\"http://tools.ietf.org/html/rfc2822#section-3.4.1\">RFC 2822</a> " _
     "specification. Another popular value to put here is <tt>^[^@]+$</tt>, " _
     "which means 'local usernames, no @ allowed.'",