From: Byron Jones <glob@mozilla.com>
Date: Wed, 28 Dec 2011 21:48:20 +0000 (-0500)
Subject: Bug 697699 - (CVE-2011-3657) [SECURITY] XSS when viewing new charts or tabular and... 
X-Git-Tag: bugzilla-3.4.13~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f9b1ed442ed9bf2183f7a2e610aa03dbd41a34ab;p=thirdparty%2Fbugzilla.git

Bug 697699 - (CVE-2011-3657) [SECURITY] XSS when viewing new charts or tabular and graphical reports in debug mode
r=gerv, a=LpSolit
---

diff --git a/Bugzilla/Chart.pm b/Bugzilla/Chart.pm
index 58089d29ee..f218c6306a 100644
--- a/Bugzilla/Chart.pm
+++ b/Bugzilla/Chart.pm
@@ -438,7 +438,7 @@ sub dump {
     
     require Data::Dumper;
     print "<pre>Bugzilla::Chart object:\n";
-    print Data::Dumper::Dumper($self);
+    print html_quote(Data::Dumper::Dumper($self));
     print "</pre>";
 }
 
diff --git a/report.cgi b/report.cgi
index 2f950948a1..2b0efad1d9 100755
--- a/report.cgi
+++ b/report.cgi
@@ -309,9 +309,9 @@ print $cgi->header(-type => $format->{'ctype'},
 if ($cgi->param('debug')) {
     require Data::Dumper;
     print "<pre>data hash:\n";
-    print Data::Dumper::Dumper(%data) . "\n\n";
+    print html_quote(Data::Dumper::Dumper(%data)) . "\n\n";
     print "data array:\n";
-    print Data::Dumper::Dumper(@image_data) . "\n\n</pre>";
+    print html_quote(Data::Dumper::Dumper(@image_data)) . "\n\n</pre>";
 }
 
 # All formats point to the same section of the documentation.