diff options
| author |   Frédéric Buclin <LpSolit@gmail.com> | 2013-10-16 19:25:24 +0200 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2013-10-16 19:25:24 +0200 |
| commit | 7fca098a570872d808bf839204180bd889268487 (patch) | |
| tree | 29013b3dc0ac50d9dfa265c0d9d5c7a7004b77f9 | |
| parent | Bug 924802: (CVE-2013-1742) [SECURITY] (XSS) "id" and "sortkey" are not sanit... (diff) | |
| download | bugzilla-7fca098a570872d808bf839204180bd889268487.tar.gz bugzilla-7fca098a570872d808bf839204180bd889268487.tar.bz2 bugzilla-7fca098a570872d808bf839204180bd889268487.zip | |
Bug 924932: (CVE-2013-1743) [SECURITY] Field values are not escaped correctly in tabular reports
r=dkl a=glob
| -rw-r--r-- | template/en/default/reports/report-table.html.tmpl | 38 |
1 files changed, 24 insertions, 14 deletions
diff --git a/template/en/default/reports/report-table.html.tmpl b/template/en/default/reports/report-table.html.tmpl index 466a87d9f..2747166be 100644 --- a/template/en/default/reports/report-table.html.tmpl +++ b/template/en/default/reports/report-table.html.tmpl @@ -30,32 +30,42 @@ [% END %] <script type="text/javascript"> +function bz_encode (str, decode) { + // First decode HTML entities, if requested. + if (decode) + str = str.replace(/</g, "<").replace(/>/g, ">").replace(/"/g, '"') + .replace(/ /g, " ").replace(/&/g, "&").replace(/\s+$/,""); + + // encodeURIComponent() doesn't escape single quotes. + return encodeURIComponent(str).replace(/'/g, escape); +}; + YAHOO.util.Event.addListener(window, "load", function() { this.Linkify = function(elLiner, oRecord, oColumn, oData) { if (oData == 0) elLiner.innerHTML = "."; else if (oRecord.getData("row_title") == "Total") - elLiner.innerHTML = "<a href='[% urlbase %]&[% col_field FILTER js %]=" - + oColumn.field + "[% '&' _ row_vals IF row_vals %]'>" - + oData + "</a>"; + elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&[% col_field FILTER uri FILTER js %]=' + + bz_encode(oColumn.field) + + '[% "&" _ row_vals IF row_vals %]">' + oData + '</a>'; else - elLiner.innerHTML = "<a href='[% urlbase %]&[% row_field FILTER js %]=" - + oRecord.getData("row_title").replace(/\s+$/,"") - + "&[% col_field FILTER js %]=" + oColumn.field - + "'>" + oData + "</a>"; + elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&[% row_field FILTER uri FILTER js %]=' + + bz_encode(oRecord.getData("row_title"), 1) + + '&[% col_field FILTER uri FILTER js %]=' + + bz_encode(oColumn.field) + '">' + oData + '</a>'; }; this.LinkifyTotal = function(elLiner, oRecord, oColumn, oData) { if (oData == 0) elLiner.innerHTML = "."; else if (oRecord.getData("row_title") == "Total") - elLiner.innerHTML = "<a href='[% urlbase %][% '&' _ row_vals IF row_vals %] - [%~ '&' _ col_vals IF col_vals %]'>" - + oData + "</a>"; + elLiner.innerHTML = '<a href="[% urlbase FILTER js %][% "&" _ row_vals IF row_vals %] + [%~ "&" _ col_vals IF col_vals %]">' + + oData + '</a>'; else - elLiner.innerHTML = "<a href='[% urlbase %]&[% row_field FILTER js %]=" - + oRecord.getData("row_title").replace(/\s+$/,"") - + "[% '&' _ col_vals IF col_vals %]'>" + oData + "</a>"; + elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&[% row_field FILTER uri FILTER js %]=' + + bz_encode(oRecord.getData("row_title"), 1) + + '[% "&" _ col_vals IF col_vals %]">' + oData + '</a>'; YAHOO.util.Dom.addClass(elLiner.parentNode, "ttotal"); }; @@ -147,7 +157,7 @@ YAHOO.util.Event.addListener(window, "load", function() { [% col_idx = 0 %] [% row_idx = 0 %] [% grand_total = 0 %] -<div id="tabular_report_container_[% tbl FILTER js %]"> +<div id="tabular_report_container_[% tbl FILTER html %]"> <table id="tabular_report" border="1"> [% IF col_field %] <thead> |