From: Dylan Hardison Date: Tue, 22 Dec 2015 18:34:38 +0000 (-0500) Subject: Bug 1232785 - [SECURITY] Buglists in CSV format can be parsed as valid javascript... X-Git-Tag: bugzilla-4.2.16~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c899b36cbb3f9813b5027b5a5af5d979f0e1f141;p=thirdparty%2Fbugzilla.git Bug 1232785 - [SECURITY] Buglists in CSV format can be parsed as valid javascript in some browsers r=dkl,a=dkl --- diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 7fd3f0e8d7..1daeacf8cd 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -744,6 +744,9 @@ sub create { { my ($var) = @_; $var = ' ' . $var if substr($var, 0, 1) eq '='; + # backslash is not special to CSV, but it can be used to confuse some browsers... + # so we do not allow it to happen. We only do this for logged-in users. + $var =~ s/\\/\x{FF3C}/g if Bugzilla->user->id; $var =~ s/\"/\"\"/g; if ($var !~ /^-?(\d+\.)?\d*$/) { $var = "\"$var\"";