From: Max Kanat-Alexander Date: Wed, 19 May 2010 17:20:09 +0000 (-0700) Subject: Bug 565899: Make the html_linebreak filter safe by having it first call the X-Git-Tag: bugzilla-3.7.1~63 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=401b0d1301cf419ff40d7cb82d2763b13accd26a;p=thirdparty%2Fbugzilla.git Bug 565899: Make the html_linebreak filter safe by having it first call the "html" filter r=LpSolit, a=LpSolit --- diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 71370a8c19..274ed88473 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -532,6 +532,7 @@ sub create { # See bugs 4928, 22983 and 32000 for more details html_linebreak => sub { my ($var) = @_; + $var = html_quote($var); $var =~ s/\r\n/\ /g; $var =~ s/\n\r/\ /g; $var =~ s/\r/\ /g; diff --git a/t/008filter.t b/t/008filter.t index e6ae4c13af..5a5b223c8a 100644 --- a/t/008filter.t +++ b/t/008filter.t @@ -226,7 +226,7 @@ sub directive_ok { return 1 if $directive =~ /FILTER\ (html|csv|js|base64|url_quote|css_class_quote| ics|quoteUrls|time|uri|xml|lower|html_light| obsolete|inactive|closed|unitconvert| - txt|none)\b/x; + txt|html_linebreak|none)\b/x; return 0; } diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl index f50f607378..e3bd3ba8b0 100644 --- a/template/en/default/global/code-error.html.tmpl +++ b/template/en/default/global/code-error.html.tmpl @@ -540,7 +540,7 @@

Traceback:

-
[% traceback FILTER html FILTER html_linebreak %]
+
[% traceback FILTER html_linebreak %]
[% IF variables %] 
diff --git a/template/en/default/global/hidden-fields.html.tmpl b/template/en/default/global/hidden-fields.html.tmpl
index 24f15c4f5e..c141c64097 100644
--- a/template/en/default/global/hidden-fields.html.tmpl
+++ b/template/en/default/global/hidden-fields.html.tmpl
@@ -52,7 +52,7 @@
   [% ELSE %]
     [% FOREACH mvalue = cgi.param(field).slice(0) %]
       
+             value="[% mvalue FILTER html_linebreak %]">
     [% END %]
   [% END %]
 [% END %]