From: mkanat%bugzilla.org <>
Date: Fri, 22 Sep 2006 06:19:03 +0000 (+0000)
Subject: Bug 351994: Messages shouldn't contain HTML characters unless we're in USAGE_MODE_BROWSER
X-Git-Tag: bugzilla-2.23.3~41
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6c0f16ffbf7b39da24ded73e17fd2fc0ea4e1a75;p=thirdparty%2Fbugzilla.git

Bug 351994: Messages shouldn't contain HTML characters unless we're in USAGE_MODE_BROWSER
Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=ghendricks, a=myk
---

diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index b54c4a0f20..7149828efa 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -760,6 +760,22 @@ sub create {
                      1
                      ],
 
+            # Note that using this filter is even more dangerous than
+            # using "none," and you should only use it when you're SURE
+            # the output won't be displayed directly to a web browser.
+            txt => sub {
+                my ($var) = @_;
+                # Trivial HTML tag remover
+                $var =~ s/<[^>]*>//g;
+                # And this basically reverses the html filter.
+                $var =~ s/\&#64;/@/g;
+                $var =~ s/\&lt;/</g;
+                $var =~ s/\&gt;/>/g;
+                $var =~ s/\&quot;/\"/g;
+                $var =~ s/\&amp;/\&/g;
+                return $var;
+            },
+
             # Wrap a displayed comment to the appropriate length
             wrap_comment => \&Bugzilla::Util::wrap_comment,
 
diff --git a/t/008filter.t b/t/008filter.t
index 02d4d4a7e9..66f4b7c976 100644
--- a/t/008filter.t
+++ b/t/008filter.t
@@ -225,7 +225,7 @@ sub directive_ok {
     return 1 if $directive =~ /FILTER\ (html|csv|js|base64|url_quote|css_class_quote|
                                         ics|quoteUrls|time|uri|xml|lower|
                                         obsolete|inactive|closed|unitconvert|
-                                        none)\b/x;
+                                        txt|none)\b/x;
 
     return 0;
 }
diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl
index 63ce0ffab9..f6ccae7548 100644
--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -434,7 +434,11 @@
 [%# We only want HTML error messages for ERROR_MODE_WEBPAGE %]
 [% USE Bugzilla %]
 [% IF Bugzilla.error_mode != constants.ERROR_MODE_WEBPAGE %]
-  [% error_message FILTER none %]
+  [% IF Bugzilla.usage_mode == constants.USAGE_MODE_BROWSER %]
+    [% error_message FILTER none %]
+  [% ELSE %]
+    [% error_message FILTER txt %]
+  [% END %]
   [% RETURN %]
 [% END %]
 
diff --git a/template/en/default/global/message.txt.tmpl b/template/en/default/global/message.txt.tmpl
index fc0ec19774..e8ec1e5104 100644
--- a/template/en/default/global/message.txt.tmpl
+++ b/template/en/default/global/message.txt.tmpl
@@ -23,4 +23,4 @@
 [%# Yes, this may show some HTML. But it's the best we
   # can do at the moment. %]
 [% PROCESS global/messages.html.tmpl %]
-[% message %]
+[% message FILTER txt %]
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index a9706376b1..646da5f753 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1483,7 +1483,11 @@
 [%# We only want HTML error messages for ERROR_MODE_WEBPAGE %]
 [% USE Bugzilla %]
 [% IF Bugzilla.error_mode != constants.ERROR_MODE_WEBPAGE %]
-  [% error_message FILTER none %]
+  [% IF Bugzilla.usage_mode == constants.USAGE_MODE_BROWSER %]
+    [% error_message FILTER none %]
+  [% ELSE %]
+    [% error_message FILTER txt %]
+  [% END %]
   [% RETURN %]
 [% END %]