Bug 330555: [SECURITY] H1, H2 and H3 are not filtered in global/header.html.tmpl - Patch by Fr�d�ric Buclin <LpSolit@gmail.com> r=justdave a=justdave

2024-11-02 07:05:24 +00:00 · 2006-10-14 20:48:48 +00:00 · 2006-10-14 20:48:48 +00:00 · 28c4f4c0da
commit 28c4f4c0da
parent f0d32bc228
10 changed files with 26 additions and 13 deletions
--- a/webtools/bugzilla/template/en/default/admin/flag-type/edit.html.tmpl
+++ b/webtools/bugzilla/template/en/default/admin/flag-type/edit.html.tmpl
@ -35,9 +35,9 @@
 [% END %]

 [% IF last_action == "copy" %]
-  [% title = "Create Flag Type Based on $type.name" %]
+  [% title = BLOCK %]Create Flag Type Based on [% type.name FILTER html %][% END %]
 [% ELSIF last_action == "edit" %]
-  [% title = "Edit Flag Type $type.name" %]
+  [% title = BLOCK %]Edit Flag Type [% type.name FILTER html %][% END %]
 [% END %]

 [% PROCESS global/header.html.tmpl
--- a/webtools/bugzilla/template/en/default/admin/groups/edit.html.tmpl
+++ b/webtools/bugzilla/template/en/default/admin/groups/edit.html.tmpl
@ -41,9 +41,10 @@
  #                   be aware of the group being edited and its members.
  #%]

+[% title = BLOCK %]Change Group: [% name FILTER html %][% END %]

 [% PROCESS global/header.html.tmpl
-  title = "Change Group: $name"
+  title = title
  style = "tr.odd_row {
               background: #e9e9e9; 
           }
--- a/webtools/bugzilla/template/en/default/admin/groups/remove.html.tmpl
+++ b/webtools/bugzilla/template/en/default/admin/groups/remove.html.tmpl
@ -33,11 +33,13 @@


 [% IF remove_all %]
-  [% title = "Removing All Explicit Group Memberships from '"
-      _ name _ "'" %]
+  [% title = BLOCK %]
+    Removing All Explicit Group Memberships from '[% name FILTER html %]'
+  [% END %]
 [% ELSE %]
-  [% title = "Removing All Explicit Group Memberships Matching "
-      _ "Group RegExp from '" _ name _ "'" %]
+  [% title = BLOCK %]
+    Removing All Explicit Group Memberships Matching Group RegExp from '[% name FILTER html %]'
+  [% END %]
 [% END %]

 [% PROCESS global/header.html.tmpl %]
--- a/webtools/bugzilla/template/en/default/admin/users/confirm-delete.html.tmpl
+++ b/webtools/bugzilla/template/en/default/admin/users/confirm-delete.html.tmpl
@ -44,8 +44,10 @@
  #                           created
  #%]

+[% title = BLOCK %]Confirm deletion of user [% otheruser.login FILTER html %][% END %]
+
 [% PROCESS global/header.html.tmpl
-  title = "Confirm deletion of user $otheruser.login"
+  title = title
  style_urls = ['skins/standard/admin.css',
                'skins/standard/editusers.css']
 %]
--- a/webtools/bugzilla/template/en/default/admin/users/edit.html.tmpl
+++ b/webtools/bugzilla/template/en/default/admin/users/edit.html.tmpl
@ -25,8 +25,10 @@
  #                      canbless) for viewed user.
  #%]

+[% title = BLOCK %]Edit user [% otheruser.login FILTER html %][% END %]
+
 [% PROCESS global/header.html.tmpl
-  title = "Edit user $login"
+  title = title
  message = message
  style_urls = ['skins/standard/editusers.css']
 %]
--- a/webtools/bugzilla/template/en/default/bug/create/create.html.tmpl
+++ b/webtools/bugzilla/template/en/default/bug/create/create.html.tmpl
@ -26,8 +26,10 @@

 [% PROCESS "global/field-descs.none.tmpl" %]

+[% title = BLOCK %]Enter [% terms.Bug %]: [% product.name FILTER html %][% END %]
+
 [% PROCESS global/header.html.tmpl
-  title = "Enter $terms.Bug: $product.name"
+  title = title
  style_urls = [ 'skins/standard/create_attachment.css' ]
  javascript_urls = [ "js/attachment.js" ]
 %]
--- a/webtools/bugzilla/template/en/default/bug/show.html.tmpl
+++ b/webtools/bugzilla/template/en/default/bug/show.html.tmpl
@ -31,7 +31,7 @@
  [% filtered_desc = bug.short_desc FILTER html %]
  [% filtered_timestamp = bug.delta_ts FILTER time %]
  [% PROCESS global/header.html.tmpl
-    title = "$terms.Bug $bug.bug_id - $bug.short_desc"
+    title = "$terms.Bug $bug.bug_id - $filtered_desc"
    h1 = "$terms.Bug&nbsp;$bug.bug_id"
    h2 = filtered_desc
    h3 = "Last modified: $filtered_timestamp"
--- a/webtools/bugzilla/template/en/default/filterexceptions.pl
+++ b/webtools/bugzilla/template/en/default/filterexceptions.pl
@ -232,6 +232,7 @@
  'javascript', 
  'style', 
  'onload',
+  'title',
  'h1',
  'h2',
  'h3', 
--- a/webtools/bugzilla/template/en/default/global/header.html.tmpl
+++ b/webtools/bugzilla/template/en/default/global/header.html.tmpl
@ -62,7 +62,7 @@
                      "http://www.w3.org/TR/html4/loose.dtd">
 <html>
  <head>
-    <title>[% title FILTER html %]</title>
+    <title>[% title %]</title>

 [%# Migration note: contents of the old Param 'headerhtml' would go here %]

--- a/webtools/bugzilla/template/en/default/reports/duplicates.html.tmpl
+++ b/webtools/bugzilla/template/en/default/reports/duplicates.html.tmpl
@ -36,12 +36,15 @@
 [% PROCESS global/variables.none.tmpl %]

 [% IF query_products.size %]
-  [% title = "Most Frequently Reported $terms.Bugs for ${query_products.join(', ')}" %]
+  [% title = BLOCK %]
+    Most Frequently Reported [% terms.Bugs %] for [% query_products.join(', ') FILTER html %]
+  [% END %]
 [% ELSE %]
  [% title = "Most Frequently Reported $terms.Bugs" %]
 [% END%]

 [% PROCESS global/header.html.tmpl
+   title = title
   style = ".resolved { background-color: #d9d9d9; color: #000000; }"
 %]