From: Dylan William Hardison <dylan@hardison.net>
Date: Wed, 3 Jan 2018 17:13:10 +0000 (-0500)
Subject: Bug 1426475 - Make unknown bug id / alias error message more obvious to prevent conte... 
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=51605fb0ae3ce7d85b6037e0ac4b22676766ad0c;p=thirdparty%2Fbugzilla.git

Bug 1426475 - Make unknown bug id / alias error message more obvious to prevent content spoofing
---

diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index 9eefbcb73..a9342e343 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1045,8 +1045,12 @@
     [% title = BLOCK %]
       [% IF bug_id %]Invalid [% ELSE %]Missing [% END %] [% terms.Bug %] ID
     [% END %]
+    [% UNLESS bug_id.match("^\\d+$") %]
+        [% bug_id = bug_id.truncate(40).upper().replace("\\W+", "", "g") %]
+    [% END %]
     [% IF bug_id %]
-      '[% bug_id FILTER html %]' is not a valid [% terms.bug %] number
+      Sorry, I can't find "<em>[% bug_id FILTER html %]</em>".
+      It does not seem like [% terms.bug %] number
       [% IF Param("usebugaliases") %]
         nor an alias to [% terms.abug %]
       [% END %].
@@ -1996,6 +2000,8 @@
    admindocslinks = admindocslinks
 %]
 
+<h1>[% title FILTER html %]</h1>
+
 <table cellpadding="20">
   <tr>
     <td id="error_msg" class="throw_error">