aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2013-10-16 19:26:25 +0200
committerFrédéric Buclin <LpSolit@gmail.com>2013-10-16 19:26:25 +0200
commit3b9eb2e03904a12cf38268b2527742e5ede7f305 (patch)
tree6a6c5674534e3cbb745d4a617b34b153517d4ac7
parentBug 924802: (CVE-2013-1742) [SECURITY] (XSS) "id" and "sortkey" are not sanit... (diff)
downloadbugzilla-3b9eb2e03904a12cf38268b2527742e5ede7f305.tar.gz
bugzilla-3b9eb2e03904a12cf38268b2527742e5ede7f305.tar.bz2
bugzilla-3b9eb2e03904a12cf38268b2527742e5ede7f305.zip
Bug 924932: (CVE-2013-1743) [SECURITY] Field values are (still) not escaped correctly in tabular reports
r=dkl a=glob
-rw-r--r--template/en/default/reports/report-table.html.tmpl38
1 files changed, 24 insertions, 14 deletions
diff --git a/template/en/default/reports/report-table.html.tmpl b/template/en/default/reports/report-table.html.tmpl
index b41753550..cef47c2d9 100644
--- a/template/en/default/reports/report-table.html.tmpl
+++ b/template/en/default/reports/report-table.html.tmpl
@@ -47,32 +47,42 @@
[% END %]
<script type="text/javascript">
+function bz_encode (str, decode) {
+ // First decode HTML entities, if requested.
+ if (decode)
+ str = str.replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/&quot;/g, '"')
+ .replace(/&nbsp;/g, " ").replace(/&amp;/g, "&").replace(/\s+$/,"");
+
+ // encodeURIComponent() doesn't escape single quotes.
+ return encodeURIComponent(str).replace(/'/g, escape);
+};
+
YAHOO.util.Event.addListener(window, "load", function() {
this.Linkify = function(elLiner, oRecord, oColumn, oData) {
if (oData == 0)
elLiner.innerHTML = ".";
else if (oRecord.getData("row_title") == "Total")
- elLiner.innerHTML = "<a href='[% urlbase %]&amp;[% col_field FILTER js %]="
- + oColumn.field + "[% '&amp;' _ row_vals IF row_vals %]'>"
- + oData + "</a>";
+ elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&amp;[% col_field FILTER uri FILTER js %]='
+ + bz_encode(oColumn.field)
+ + '[% "&amp;" _ row_vals IF row_vals %]">' + oData + '</a>';
else
- elLiner.innerHTML = "<a href='[% urlbase %]&amp;[% row_field FILTER js %]="
- + oRecord.getData("row_title").replace(/\s+$/,"")
- + "&amp;[% col_field FILTER js %]=" + oColumn.field
- + "'>" + oData + "</a>";
+ elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&amp;[% row_field FILTER uri FILTER js %]='
+ + bz_encode(oRecord.getData("row_title"), 1)
+ + '&amp;[% col_field FILTER uri FILTER js %]='
+ + bz_encode(oColumn.field) + '">' + oData + '</a>';
};
this.LinkifyTotal = function(elLiner, oRecord, oColumn, oData) {
if (oData == 0)
elLiner.innerHTML = ".";
else if (oRecord.getData("row_title") == "Total")
- elLiner.innerHTML = "<a href='[% urlbase %][% '&amp;' _ row_vals IF row_vals %]
- [%~ '&amp;' _ col_vals IF col_vals %]'>"
- + oData + "</a>";
+ elLiner.innerHTML = '<a href="[% urlbase FILTER js %][% "&amp;" _ row_vals IF row_vals %]
+ [%~ "&amp;" _ col_vals IF col_vals %]">'
+ + oData + '</a>';
else
- elLiner.innerHTML = "<a href='[% urlbase %]&amp;[% row_field FILTER js %]="
- + oRecord.getData("row_title").replace(/\s+$/,"")
- + "[% '&amp;' _ col_vals IF col_vals %]'>" + oData + "</a>";
+ elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&amp;[% row_field FILTER uri FILTER js %]='
+ + bz_encode(oRecord.getData("row_title"), 1)
+ + '[% "&amp;" _ col_vals IF col_vals %]">' + oData + '</a>';
YAHOO.util.Dom.addClass(elLiner.parentNode, "ttotal");
};
@@ -164,7 +174,7 @@ YAHOO.util.Event.addListener(window, "load", function() {
[% col_idx = 0 %]
[% row_idx = 0 %]
[% grand_total = 0 %]
-<div id="tabular_report_container_[% tbl FILTER js %]">
+<div id="tabular_report_container_[% tbl FILTER html %]">
<table id="tabular_report" border="1">
[% IF col_field %]
<thead>