Bug 697699 - (CVE-2011-3657) [SECURITY] XSS when viewing new charts or tabular and...

author Byron Jones <glob@mozilla.com>

Wed, 28 Dec 2011 22:10:39 +0000 (17:10 -0500)

committer Dave Lawrence <dlawrence@mozilla.com>

Wed, 28 Dec 2011 22:10:39 +0000 (17:10 -0500)
author Byron Jones <glob@mozilla.com>
Wed, 28 Dec 2011 22:10:39 +0000 (17:10 -0500)
committer Dave Lawrence <dlawrence@mozilla.com>
Wed, 28 Dec 2011 22:10:39 +0000 (17:10 -0500)
diff --git a/Bugzilla/Chart.pm b/Bugzilla/Chart.pm

index 5022723ddd7c3d669d1a333faff8eb77ec7d61b5..86dcf9d039977903588bedce2863f7ed590a97a2 100644 (file)
--- a/Bugzilla/Chart.pm
+++ b/Bugzilla/Chart.pm
@@ -438,7 +438,7 @@ sub dump {
      
      require Data::Dumper;
      say "<pre>Bugzilla::Chart object:";
-    print Data::Dumper::Dumper($self);
+    print html_quote(Data::Dumper::Dumper($self));
      print "</pre>";
  }
  
diff --git a/report.cgi b/report.cgi

index 20e899a6b9913c9b74892940e3c2fba930cedf1e..209ef0fafe7b9197c30c6d656b881b662e89cdc5 100755 (executable)
--- a/report.cgi
+++ b/report.cgi
@@ -288,9 +288,9 @@ print $cgi->header(-type => $format->{'ctype'},
  if ($cgi->param('debug')) {
      require Data::Dumper;
      say "<pre>data hash:";
-    say Data::Dumper::Dumper(%data);
+    say html_quote(Data::Dumper::Dumper(%data));
      say "\ndata array:";
-    say Data::Dumper::Dumper(@image_data) . "\n\n</pre>";
+    say html_quote(Data::Dumper::Dumper(@image_data)) . "\n\n</pre>";
  }
  
  # All formats point to the same section of the documentation.
author	Byron Jones <glob@mozilla.com>
	Wed, 28 Dec 2011 22:10:39 +0000 (17:10 -0500)
committer	Dave Lawrence <dlawrence@mozilla.com>
	Wed, 28 Dec 2011 22:10:39 +0000 (17:10 -0500)
Bugzilla/Chart.pm		patch \| blob \| blame \| history
report.cgi		patch \| blob \| blame \| history