Skip to content

bugzilla
bugzilla
Commit 02653931 authored by gerv%gerv.net's avatar gerv%gerv.net
Browse files
Options

Bug 207044 - Filter more template directives. None of these are security bugs,…

Bug 207044 - Filter more template directives. None of these are security bugs, but they need fixing anyway. Patch by gerv; r,a=justdave.
parent 94266c52
Show whitespace changes
Inline Side-by-side
Showing with 204 additions and 257 deletions
Bugzilla/Template.pm
View file @ 02653931
......@@ -256,6 +256,11 @@ sub create {
$var =~ s/\@/\@/g;
return $var;
},
# We force filtering of every variable in key security-critical
# places; we have a none filter for people to use when they
# really, really don't want a variable to be changed.
none => sub { return $_[0]; } ,
},
PLUGIN_BASE => 'Bugzilla::Template::Plugin',
......
checksetup.pl
View file @ 02653931
......@@ -1078,6 +1078,7 @@ END
csv => sub { return $_; },
time => sub { return $_; },
obscure_email => sub { return $_; },
none => sub { return $_; } ,
},
}) || die ("Could not create Template Provider: "
. Template::Provider->error() . "\n");
......
t/004template.t
View file @ 02653931
......@@ -99,6 +99,7 @@ foreach my $include_path (@include_paths) {
csv => sub { return $_ } ,
time => sub { return $_ } ,
obscure_email => sub { return $_ } ,
none => sub { return $_ } ,
},
}
);
......
t/008filter.t
View file @ 02653931
......@@ -199,7 +199,7 @@ sub directive_ok {
# Note: If a single directive prints two things, and only one is
# filtered, we may not catch that case.
return 1 if $directive =~ /FILTER\ (html|csv|js|url_quote|css_class_quote|
quoteUrls|time|uri|xml|lower)/x;
quoteUrls|time|uri|xml|lower|none)/x;
return 0;
}
......
template/en/default/account/prefs/account.html.tmpl
View file @ 02653931
......@@ -74,7 +74,7 @@
</tr>
<tr>
<th align="right">Change request expires:</th>
<td>[% login_change_date %]</td>
<td>[% login_change_date FILTER time %]</td>
</tr>
[% ELSE %]
<tr>
......@@ -83,7 +83,7 @@
</tr>
<tr>
<th align="right">Completion date:</th>
<td>[% login_change_date %]</td>
<td>[% login_change_date FILTER time %]</td>
</tr>
[% END %]
[% ELSE %]
......
template/en/default/account/prefs/email.html.tmpl
View file @ 02653931
......@@ -57,7 +57,8 @@
<tr>
<th align="right">Users to watch:</th>
<td>
<input size="35" name="watchedusers" value="[% watchedusers %]">
<input size="35" name="watchedusers"
value="[% watchedusers FILTER html %]">
</td>
</tr>
[% END %]
......
template/en/default/admin/flag-type/confirm-delete.html.tmpl
View file @ 02653931
......@@ -29,7 +29,7 @@
%]
<p>
There are [% flag_count %] flags of type [% name %].
There are [% flag_count %] flags of type [% name FILTER html %].
If you delete this type, those flags will also be deleted. Note that
instead of deleting the type you can
<a href="editflagtypes.cgi?action=deactivate&amp;id=[% flag_type.id %]">deactivate it</a>,
......
template/en/default/admin/flag-type/edit.html.tmpl
View file @ 02653931
......@@ -67,10 +67,10 @@
<input type="hidden" name="id" value="[% type.id %]">
<input type="hidden" name="target_type" value="[% type.target_type %]">
[% FOREACH category = type.inclusions %]
<input type="hidden" name="inclusions" value="[% category %]">
<input type="hidden" name="inclusions" value="[% category FILTER html %]">
[% END %]
[% FOREACH category = type.exclusions %]
<input type="hidden" name="exclusions" value="[% category %]">
<input type="hidden" name="exclusions" value="[% category FILTER html %]">
[% END %]
<table id="form" cellspacing="0" cellpadding="4" border="0">
......@@ -105,13 +105,17 @@
<select name="product" onchange="selectProduct(this.form, 'product', 'component', '__Any__');">
<option value="">__Any__</option>
[% FOREACH item = products %]
<option value="[% item %]" [% "selected" IF type.product.name == item %]>[% item %]</option>
<option value="[% item FILTER html %]"
[% "selected" IF type.product.name == item %]>
[% item FILTER html %]</option>
[% END %]
</select><br>
<select name="component">
<option value="">__Any__</option>
[% FOREACH item = components %]
<option value="[% item %]" [% "selected" IF type.component.name == item %]>[% item %]</option>
<option value="[% item FILTER html %]"
[% "selected" IF type.component.name == item %]>
[% item FILTER html %]</option>
[% END %]
</select><br>
<input type="submit" name="categoryAction" value="Include">
......@@ -186,7 +190,10 @@
<tr>
<th></th>
<td>
<input type="submit" value="[% (last_action == "enter" || last_action == "copy") ? "Create" : "Save Changes" %]">
<input type="submit" value="
[% IF (last_action == "enter" || last_action == "copy") %]Create
[% ELSE %]Save Changes
[% END %]">
</td>
</tr>
......
template/en/default/admin/flag-type/list.html.tmpl
View file @ 02653931
......@@ -92,7 +92,7 @@
[% FOREACH type = types %]
<tr class="[% type.is_active ? "active" : "inactive" %]">
<tr class="[% IF type.is_active %]active[% ELSE %]inactive[% END %]">
<td><a href="editflagtypes.cgi?action=edit&amp;id=[% type.id %]">[% type.name FILTER html %]</a></td>
<td>[% type.description FILTER html %]</td>
<td>
......
template/en/default/attachment/list.html.tmpl
View file @ 02653931
......@@ -53,13 +53,13 @@
[% IF attachment.flags.size == 0 %]
<i>none</i>
[% ELSE %]
[% FOR flag = attachment.flags %]
[% FOREACH flag = attachment.flags %]
[% IF flag.setter %]
[% flag.setter.nick FILTER html %]:
[% END %]
[%+ flag.type.name %][% flag.status %]
[%+ flag.type.name FILTER html %][% flag.status %]
[%+ IF flag.status == "?" && flag.requestee %]
([% flag.requestee.nick %])
([% flag.requestee.nick FILTER html %])
[% END %]<br>
[% END %]
[% END %]
......
template/en/default/bug/activity/table.html.tmpl
View file @ 02653931
......@@ -60,7 +60,7 @@
[% FOREACH operation = operations %]
<tr>
<td rowspan="[% operation.changes.size %]" valign="top">
[% operation.who %]
[% operation.who FILTER html %]
</td>
<td rowspan="[% operation.changes.size %]" valign="top">
[% operation.when FILTER time %]
......
template/en/default/bug/create/create-guided.html.tmpl
View file @ 02653931
......@@ -224,7 +224,8 @@ function PutDescription() {
The area where the problem occurs.
To pick the right component, you could use the same one as
similar [% terms.bugs %] you found in your search, or read the full list of
<a href="describecomponents.cgi?product=[% product %]">component
<a href="describecomponents.cgi?product=
[% product FILTER url_quote %]">component
descriptions</a> if you need more help.
</p>
......
template/en/default/bug/create/create.html.tmpl
View file @ 02653931
......@@ -171,7 +171,8 @@ function set_assign_to() {
<td colspan="2"></td>
</tr>
[% ELSE %]
<input type="hidden" name="bug_status" value="[% default.bug_status %]">
<input type="hidden" name="bug_status"
value="[% default.bug_status FILTER html %]">
[% END %]
<tr>
......
template/en/default/bug/dependency-tree.html.tmpl
View file @ 02653931
......@@ -32,8 +32,14 @@
[% PROCESS depthControlToolbar %]
[%# Display the tree of bugs that this bug depends on. %]
<h3>[% hide_resolved ? "Open $terms.bugs" : "$terms.Bugs" %]
that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %]&nbsp;[% bugid %]</a> depends on</h3>
<h3>
[% IF hide_resolved %]
Open [% terms.bugs %]
[% ELSE %]
[% terms.Bugs %]
[% END %]
that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %]&nbsp;[% bugid %]</a>
depends on</h3>
[% IF dependson_ids.size > 0 %]
(
[% IF maxdepth -%]Up to [% maxdepth %] level[% "s" IF maxdepth > 1 %] deep | [% END %]
......@@ -48,8 +54,14 @@
[% END %]
[%# Display the tree of bugs that this bug blocks. %]
<h3>[% hide_resolved ? "Open $terms.bugs" : "$terms.Bugs" %]
that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %]&nbsp;[% bugid %]</a> blocks</h3>
<h3>
[% IF hide_resolved %]
Open [% terms.bugs %]
[% ELSE %]
[% terms.Bugs %]
[% END %]
that <a href="show_bug.cgi?id=[% bugid %]">[% terms.bug %]&nbsp;[% bugid %]</a>
blocks</h3>
[% IF blocked_ids.size > 0 %]
(
[% IF maxdepth -%]Up to [% maxdepth %] level[% "s" IF maxdepth > 1 %] deep | [% END %]
......@@ -112,7 +124,8 @@
<input name="maxdepth" type="hidden" value="[% maxdepth %]">
[% END %]
<input type="hidden" name="hide_resolved" value="[% hide_resolved ? 0 : 1 %]">
<input type="submit" value="[% hide_resolved ? "Show" : "Hide" %] Resolved">
<input type="submit"
value="[% IF hide_resolved %]Show[% ELSE %]Hide[% END %] Resolved">
</form>
</td>
......@@ -128,9 +141,8 @@
<form method="get" action="showdependencytree.cgi"
style="display: inline; margin: 0px;">
[%# set to one form %]
<input type="submit" value="&nbsp;1&nbsp;" [%
realdepth < 2 || maxdepth == 1 ? "disabled" : ""
%]>
<input type="submit" value="&nbsp;1&nbsp;"
[% "disabled" IF realdepth < 2 || maxdepth == 1 %]>
<input name="id" type="hidden" value="[% bugid %]">
<input name="maxdepth" type="hidden" value="1">
<input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
......@@ -148,9 +160,8 @@
: ( maxdepth ? maxdepth - 1 : realdepth - 1 )
%]">
<input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
<input type="submit" value="&nbsp;&lt;&nbsp;" [%
realdepth < 2 || ( maxdepth && maxdepth < 2 ) ? "disabled" : ""
%]>
<input type="submit" value="&nbsp;&lt;&nbsp;"
[% "disabled" IF realdepth < 2 || ( maxdepth && maxdepth < 2 ) %]>
</form>
</td>
......@@ -165,7 +176,7 @@
<input name="id" type="hidden" value="[% bugid %]">
<input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
<noscript>
<input type="submit" value="Change" [% realdepth < 2 ? "disabled" : "" %]>
<input type="submit" value="Change" [% "disabled" IF realdepth < 2 %]>
</noscript>
</form>
</td>
......@@ -180,9 +191,8 @@
<input name="maxdepth" type="hidden" value="[% maxdepth + 1 %]">
[% END %]
<input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
<input type="submit" value="&nbsp;&gt;&nbsp;" [%
realdepth < 2 || ! maxdepth || maxdepth >= realdepth ?
"disabled" : ""
<input type="submit" value="&nbsp;&gt;&nbsp;"
[% "disabled" IF realdepth < 2 || !maxdepth || maxdepth >= realdepth %]
%]>
</form>
</td>
......@@ -194,7 +204,7 @@
<input name="id" type="hidden" value="[% bugid %]">
<input name="hide_resolved" type="hidden" value="[% hide_resolved %]">
<input type="submit" value="&nbsp;Unlimited&nbsp;"
[% maxdepth == 0 || maxdepth == realdepth ? "disabled" : "" %]>
[% "disabled" IF maxdepth == 0 || maxdepth == realdepth %]>
</form>
</td>
</tr>
......
template/en/default/bug/process/bugmail.html.tmpl
View file @ 02653931
......@@ -61,10 +61,10 @@
[%############################################################################%]
[% BLOCK emails %]
<b>[% description %]:</b>
<b>[% description FILTER html %]:</b>
[% IF names.size > 0 %]
[%+ FOREACH name = names %]
[% name %][% ", " UNLESS loop.last() %]
[% name FILTER html %][% ", " UNLESS loop.last() %]
[% END %]
[% ELSE %]
no one
......
template/en/default/bug/process/verify-new-product.html.tmpl
View file @ 02653931
......@@ -48,11 +48,13 @@
<p>
[% IF use_target_milestone %]
You are moving the [% terms.bug %](s) to the product <b>[% form.product %]</b>,
You are moving the [% terms.bug %](s) to the product
<b>[% form.product FILTER html %]</b>,
and the version, component, and/or target milestone fields are no longer
correct. Please set the correct version, component, and target milestone now:
[% ELSE %]
You are moving the [% terms.bug %](s) to the product <b>[% form.product %]</b>,
You are moving the [% terms.bug %](s) to the product
<b>[% form.product FILTER html %]</b>,
and the version and component fields are no longer correct.
Please set the correct version and component now:
[% END %]
......
template/en/default/bug/show-multiple.html.tmpl
View file @ 02653931
......@@ -97,7 +97,7 @@
<tr>
<td colspan="2">
<b>Component:</b>&nbsp;
[% bug.component %]
[% bug.component FILTER html %]
</td>
<td colspan="2">
......@@ -190,7 +190,7 @@
[% BLOCK cell %]
<td>
<b>[% attr.description%]:</b>&nbsp;
<b>[% attr.description FILTER html %]:</b>&nbsp;
[% bug.${attr.name} FILTER html %]
</td>
[% END %]
template/en/default/bug/votes/list-for-user.html.tmpl
View file @ 02653931
......@@ -21,9 +21,9 @@
[% PROCESS global/variables.none.tmpl %]
[% h2 = voting_user.login FILTER html %]
[% PROCESS global/header.html.tmpl
title = "Show Votes"
h2 = voting_user.name
%]
[% canedit = 1 IF voting_user.login == user.login %]
......
template/en/default/filterexceptions.pl
View file @ 02653931
......@@ -33,17 +33,7 @@
# Safe vmethods - [% foo.size %]
# TT loop variables - [% loop.count %]
# Already-filtered stuff - [% wibble FILTER html %]
# where the filter is one of html|csv|js|url_quote|quoteUrls|time|uri|xml
# Key:
#
# "#": directive should be filtered, but not doing so is not a security hole
# The plan is to come back and add filtering for all those marked "#" after
# the security release.
#
# "# Email": as above; but noting that it's an email address.
# Other sorts of comments denote cleanups noticed while doing this work;
# they should be fixed in the very short term.
# where the filter is one of html|csv|js|url_quote|quoteUrls|time|uri|xml|none
%::safe = (
......@@ -80,19 +70,6 @@
'field.accesskey',
'sel.name',
'sel.accesskey',
'button_name', #
],
'search/knob.html.tmpl' => [
'button_name', #
],
'search/search-report-graph.html.tmpl' => [
'button_name', #
],
'search/search-report-table.html.tmpl' => [
'button_name', #
],
'search/search-specific.html.tmpl' => [
......@@ -115,19 +92,11 @@
'reports/components.html.tmpl' => [
'numcols',
'comp.description',
'comp.initialowner', # email address
'comp.initialqacontact', # email address
],
'reports/duplicates-simple.html.tmpl' => [
'title', #
],
'reports/duplicates-table.html.tmpl' => [
'"&maxrows=$maxrows" IF maxrows',
'"&changedsince=$changedsince" IF changedsince',
'"&product=$product" IF product', #
'"&format=$format" IF format', #
'"&bug_id=$bug_ids_string&sortvisible=1" IF sortvisible',
'column.name',
'column.description',
......@@ -135,10 +104,6 @@
'bug.id',
'bug.count',
'bug.delta',
'bug.component', #
'bug.bug_severity', #
'bug.op_sys', #
'bug.target_milestone', #
],
'reports/duplicates.html.tmpl' => [
......@@ -154,11 +119,9 @@
],
'reports/report-table.csv.tmpl' => [
'"$tbl_field_disp: $tbl\n" IF tbl_field', #
'row_field_disp IF row_field', #
'col_field_disp', #
'num_bugs',
'data.$tbl.$col.$row',
'title',
'', # This is not a bug in the filter exceptions - this template has an
# empty directive which is necessary for it to work properly.
],
......@@ -168,7 +131,6 @@
'"&amp;$tbl_vals" IF tbl_vals',
'"&amp;$col_vals" IF col_vals',
'"&amp;$row_vals" IF row_vals',
'tbl_disp', #
'classes.$row_idx.$col_idx',
'urlbase',
'data.$tbl.$col.$row',
......@@ -178,16 +140,12 @@
],
'reports/report.html.tmpl' => [
'tbl_field_disp IF tbl_field', #
'row_field_disp IF row_field', #
'col_field_disp', #
'imagebase',
'width',
'height',
'imageurl',
'formaturl',
'other_format.name',
'other_format.description', #
'sizeurl',
'switchbase',
'format',
......@@ -233,7 +191,6 @@
'list/change-columns.html.tmpl' => [
'column',
'field_descs.${column} || column', #
],
'list/edit-multiple.html.tmpl' => [
......@@ -250,7 +207,6 @@
'list/list.html.tmpl' => [
'buglist',
'bugowners', # email address
],
'list/list.rdf.tmpl' => [
......@@ -260,7 +216,6 @@
],
'list/table.html.tmpl' => [
'abbrev.$id.title || field_descs.$id || column.title', #
'tableheader',
'bug.bug_id',
],
......@@ -287,17 +242,10 @@
'proddesc.$p',
],
# You are not permitted to add any values here. Everything in this file should
# be filtered unless there's an extremely good reason why not, in which case,
# use the "none" dummy filter.
'global/code-error.html.tmpl' => [
'parameters',
'bug.bug_id',
'field',
'argument', #
'function', #
'bug_id', # Need to remove unused error no_bug_data
'variables.id',
'template_error_msg', # Should move filtering from CGI.pl to template
'error',
'error_message',
],
'global/header.html.tmpl' => [
......@@ -313,49 +261,27 @@
],
'global/messages.html.tmpl' => [
'parameters',
'# ---', # Work out what this is
'namedcmd', #
'old_email', # email address
'new_email', # email address
'message_tag',
'series.frequency * 2',
],
'global/select-menu.html.tmpl' => [
'options',
'onchange', # Again, need to be certain where we are filtering
'size',
],
'global/useful-links.html.tmpl' => [
'email',
'user.login', # Email address
],
# Need to change this and code-error to use a no-op filter, for safety
# You are not permitted to add any values here. Everything in this file should
# be filtered unless there's an extremely good reason why not, in which case,
# use the "none" dummy filter.
'global/user-error.html.tmpl' => [
'disabled_reason',
'bug_link',
'action', #
'bug_id',
'both',
'filesize',
'attach_id',
'field',
'field_descs.$field',
'today',
'product', #
'max',
'votes',
'error_message',
],
'global/confirm-user-match.html.tmpl' => [
'# use the global field descs', # Need to fix commenting style here
'script',
'# this is messy to allow later expansion',
'# ELSIF for things that don\'t belong in the field_descs hash here',
'fields.${field_name}.flag_type.name',
],
......@@ -381,22 +307,16 @@
],
'bug/dependency-tree.html.tmpl' => [
'hide_resolved ? "Open $terms.bugs" : "$terms.Bugs"',
'bugid',
'maxdepth',
'dependson_ids.join(",")',
'blocked_ids.join(",")',
'dep_id',
'hide_resolved',
'realdepth < 2 ? "disabled" : ""',
'maxdepth + 1',
'maxdepth == 0 || maxdepth == realdepth ? "disabled" : ""',
'realdepth < 2 || ( maxdepth && maxdepth < 2 ) ? "disabled" : ""',
'maxdepth > 0 && maxdepth <= realdepth ? maxdepth : ""',
'maxdepth == 1 ? 1
: ( maxdepth ? maxdepth - 1 : realdepth - 1 )',
'realdepth < 2 || ! maxdepth || maxdepth >= realdepth ?
"disabled" : ""',
],
'bug/edit.html.tmpl' => [
......@@ -425,8 +345,6 @@
'bug/show-multiple.html.tmpl' => [
'bug.bug_id',
'bug.component', #
'attr.description', #
],
'bug/show.xml.tmpl' => [
......@@ -454,7 +372,6 @@
'product.total',
'product.maxvotes',
],
# h2 = voting_user.name # Email
'bug/process/confirm-duplicate.html.tmpl' => [
'original_bug_id',
......@@ -474,21 +391,11 @@
'id',
],
'bug/process/verify-new-product.html.tmpl' => [
'form.product', #
],
'bug/process/bugmail.html.tmpl' => [
'description',
'name', # Email
],
'bug/create/comment.txt.tmpl' => [
'form.comment',
],
'bug/create/create.html.tmpl' => [
'default.bug_status', #
'g.bit',
'g.description',
'sel.name',
......@@ -498,7 +405,6 @@
'bug/create/create-guided.html.tmpl' => [
'matches.0',
'tablecolour',
'product', #
'buildid',
'sel',
],
......@@ -508,7 +414,6 @@
],
'bug/activity/table.html.tmpl' => [
'operation.who', # Email
'change.attachid',
'change.field',
],
......@@ -532,10 +437,7 @@
'attachment/list.html.tmpl' => [
'attachment.attachid',
'FOR flag = attachment.flags', # Bug? No FOR directive
'flag.type.name',
'flag.status',
'flag.requestee.nick', # Email
'bugid',
],
......@@ -585,7 +487,6 @@
'admin/flag-type/confirm-delete.html.tmpl' => [
'flag_count',
'name', #
'flag_type.id',
],
......@@ -593,10 +494,7 @@
'action',
'type.id',
'type.target_type',
'category', #
'item', #
'type.sortkey || 1',
'(last_action == "enter" || last_action == "copy") ? "Create" : "Save Changes"',
'typeLabelLowerPlural',
'typeLabelLowerSingular',
],
......@@ -610,12 +508,7 @@
'target',
],
'account/prefs/account.html.tmpl' => [
'login_change_date', #
],
'account/prefs/email.html.tmpl' => [
'watchedusers', # Email
'role',
'reason.name',
'reason.description',
......@@ -634,5 +527,3 @@
],
);
# Should filter reports/report.html.tmpl:130 $format
template/en/default/global/code-error.html.tmpl
View file @ 02653931
......@@ -28,6 +28,9 @@
[%# This is a list of all the possible code errors. Please keep them in
# alphabetical order by error tag, and leave a blank line between errors.
#
# Note that you must explicitly filter every single template variable
# in this file; if you do not wish to change it, use the "none" filter.
#%]
[% PROCESS global/variables.none.tmpl %]
......@@ -35,14 +38,7 @@
[% DEFAULT title = "Internal Error" %]
[% error_message = BLOCK %]
[% IF error == "aaa_example_error_tag" %]
[% title = "Example Error" %]
This is an example error. The title is set above. This text is the body
of the error. It can contain arbitrary <b>HTML</b>, and also references
to any [% parameters %] which you may have set before calling
ThrowCodeError.
[% ELSIF error == "action_unrecognized" %]
[% IF error == "action_unrecognized" %]
I don't recognize the value (<em>[% variables.action FILTER html %]</em>)
of the <em>action</em> variable.
......@@ -61,8 +57,8 @@
An authorization handler return value was not handled by the login code.
[% ELSIF error == "bug_error" %]
Trying to retrieve [% terms.bug %] [%+ bug.bug_id %] returned the error
[% bug.error FILTER html %]
Trying to retrieve [% terms.bug %] [%+ bug.bug_id FILTER html %] returned
the error [% bug.error FILTER html %].
[% ELSIF error == "chart_data_not_generated" %]
The tool which gathers [% terms.bug %] counts has not been run yet.
......@@ -82,7 +78,7 @@
Run checksetup.pl for installation instructions.
[% ELSIF error == "field_type_mismatch" %]
Cannot seem to handle <code>[% field %]</code>
Cannot seem to handle <code>[% field FILTER html %]</code>
and <code>[% type FILTER html %]</code> together.
[% ELSIF error == "gd_not_installed" %]
......@@ -107,8 +103,8 @@
'[% bit FILTER html %]'.
[% ELSIF error == "bad_arg" %]
Bad argument <code>[% argument %]</code> sent to
<code>[% function %]</code> function.
Bad argument <code>[% argument FILTER html %]</code> sent to
<code>[% function FILTER html %]</code> function.
[% ELSIF error == "invalid_attach_id_to_obsolete" %]
The attachment number of one of the attachments you wanted to obsolete,
......@@ -145,11 +141,8 @@
but you tried to flag it as obsolete while creating a new attachment to
[% terms.bug %] [%+ my_bug_id FILTER html %].
[% ELSIF error == "no_bug_data" %]
No data when fetching [% terms.bug %] [%+ bug_id %].
[% ELSIF error == "flag_nonexistent" %]
There is no flag with ID #[% variables.id %].
There is no flag with ID #[% variables.id FILTER html %].
[% ELSIF error == "flag_status_invalid" %]
The flag status <em>[% variables.status FILTER html %]</em> is invalid.
......@@ -166,7 +159,7 @@
a positive integer.
[% ELSIF error == "flag_type_nonexistent" %]
There is no flag type with the ID <em>[% variables.id %]</em>.
There is no flag type with the ID <em>[% variables.id FILTER html %]</em>.
[% ELSIF error == "flag_type_product_nonexistent" %]
The product <em>[% variables.product FILTER html %]</em> does not exist.
......@@ -212,7 +205,7 @@
Something is seriously wrong with the token generation system.
[% ELSIF error == "template_error" %]
[% template_error_msg %]
[% template_error_msg FILTER html %]
[% ELSIF error == "unable_to_retrieve_password" %]
I was unable to retrieve your old password from the database.
......@@ -238,9 +231,9 @@
[% ELSE %]
[%# Give sensible error if error functions are used incorrectly.
#%]
You are using [% terms.Bugzilla %]'s ThrowCodeError() function incorrectly. You
passed in the string '[% error %]'. The correct use is to pass
in a tag, and define that tag in the file code-error.html.tmpl.<br>
You are using [% terms.Bugzilla %]'s ThrowCodeError() function incorrectly.
You passed in the string '[% error FILTER html %]'. The correct use is to
pass in a tag, and define that tag in the file code-error.html.tmpl.<br>
<br>
If you are a [% terms.Bugzilla %] end-user seeing this message, please save this
page and send it to [% Param('maintainer') %].
......@@ -267,7 +260,7 @@
<tr>
<td bgcolor="#ff0000">
<font size="+2">
[% error_message %]
[% error_message FILTER none %]
</font>
</td>
</tr>
......
template/en/default/global/confirm-user-match.html.tmpl
View file @ 02653931
......@@ -38,7 +38,7 @@
# self-referential URL
#%]
[% # use the global field descs %]
[%# use the global field descs %]
[% PROCESS "global/field-descs.none.tmpl" %]
[% IF matchsuccess == 1 %]
......@@ -74,7 +74,7 @@
</td>
</tr>
[% # this is messy to allow later expansion %]
[%# this is messy to allow later expansion %]
[% FOREACH field = matches %]
<tr>
......@@ -173,7 +173,7 @@
[% IF field_descs.${field_name} %]
[% field_descs.${field_name} FILTER html -%]
[%- # ELSIF for things that don't belong in the field_descs hash here -%]
[%-# ELSIF for things that don't belong in the field_descs hash here -%]
[% ELSIF field_name.match("^requestee") %]
[% fields.${field_name}.flag_type.name %] requestee
......
template/en/default/global/messages.html.tmpl
View file @ 02653931
......@@ -28,21 +28,15 @@
[% message_tag = message %]
[% message = BLOCK %]
[% IF message_tag == "aaa_example_message_tag" %]
[% title = "Example Message" %]
This is an example message. The title is set above. This text is the body
of the message. It can contain arbitrary <b>HTML</b>, and also references
to any [% parameters %] which you may have set.
[% ELSIF message_tag == "buglist_adding_field" %]
[% IF message_tag == "buglist_adding_field" %]
[% title = "Adding field to query page..." %]
[% link = "Click here if the page does not redisplay automatically." %]
[% # --- %]
[% ELSIF message_tag == "buglist_load_named_query" %]
[% title = BLOCK %]Loading your query named [% namedcmd %][% END %]
[% title = BLOCK %]
Loading your query named [% namedcmd FILTER html %]
[% END %]
[% link = "Click here if the page does not redisplay automatically." %]
[% # --- %]
[% ELSIF message_tag == "buglist_updated_named_query" %]
OK, your query named <code>[% queryname FILTER html %]</code> is updated.
......@@ -81,7 +75,8 @@
[% ELSIF message_tag == "email_change_cancelled_reinstated" %]
[% title = "Cancel Request to Change Email Address" %]
The request to change the email address for the
[% old_email %] account to [% new_email %] has been cancelled.
[% old_email FILTER html %] account to
[% new_email FILTER html %] has been cancelled.
Your old account settings have been reinstated.
[% ELSIF message_tag == "logged_out" %]
......
template/en/default/global/select-menu.html.tmpl
View file @ 02653931
......@@ -44,7 +44,7 @@
[% options_type = BLOCK %][% options %][% END %]
<select name="[% name FILTER html %]"
[% IF onchange %]onchange="[% onchange %]"[% END %]
[% IF onchange %]onchange="[% onchange FILTER html %]"[% END %]
[% IF multiple %] multiple [% IF size %] size="[% size %]" [% END %] [% END %]>
[% IF options_type.search("ARRAY") %]
[% FOREACH value = options %]
......
template/en/default/global/useful-links.html.tmpl
View file @ 02653931
......@@ -73,7 +73,8 @@
[% ' | <a href="sanitycheck.cgi">Sanity&nbsp;check</a>'
IF user.groups.tweakparams %]
| <a href="relogin.cgi">Log&nbsp;out</a>&nbsp;[% user.login %]
| <a href="relogin.cgi">Log&nbsp;out</a>&nbsp;
[% user.login FILTER html %]
</td>
</tr>
......
template/en/default/global/user-error.html.tmpl
View file @ 02653931
......@@ -27,6 +27,9 @@
[%# This is a list of all the possible user errors. Please keep them in
# alphabetical order by error tag, and leave a blank line between errors.
#
# Note that you must explicitly filter every single template variable
# in this file; if you do not wish to change it, use the "none" filter.
#%]
[% PROCESS global/variables.none.tmpl %]
......@@ -44,7 +47,7 @@
[% ELSIF error == "account_disabled" %]
[% title = "Account Disabled" %]
[% disabled_reason %]
[% disabled_reason FILTER none %]
<hr>
If you believe your account should be restored, please
send email to [% Param("maintainer") %] explaining why.
......@@ -72,7 +75,7 @@
[% ELSIF error == "alias_in_use" %]
[% title = "Alias In Use" %]
[% bug_link %] has already taken the alias
[% bug_link FILTER none %] has already taken the alias
<em>[% alias FILTER html %]</em>. Please choose another one.
[% ELSIF error == "alias_is_numeric" %]
......@@ -95,7 +98,7 @@
[% ELSIF error == "authorization_failure" %]
[% title = "Authorization Failed" %]
You are not allowed to [% action %].
You are not allowed to [% action FILTER html %].
[% ELSIF error == "attachment_access_denied" %]
[% title = "Access Denied" %]
......@@ -103,13 +106,14 @@
[% ELSIF error == "bug_access_denied" %]
[% title = "Access Denied" %]
You are not authorized to access [% terms.bug %] #[% bug_id %].
You are not authorized to access [% terms.bug %] #[% bug_id FILTER html %].
[% ELSIF error == "bug_access_query" %]
[% title = "Access Denied" %]
You are not authorized to access [% terms.bug %] #[% bug_id %]. To see
this [% terms.bug %], you must
first <a href="show_bug.cgi?id=[% bug_id %]&amp;GoAheadAndLogIn=1">log
You are not authorized to access [% terms.bug %] #[% bug_id FILTER html %].
To see this [% terms.bug %], you must
first <a href="show_bug.cgi?id=
[% bug_id FILTER url_quote %]&amp;GoAheadAndLogIn=1">log
in to an account</a> with the appropriate permissions.
[% ELSIF error == "buglist_parameters_required" %]
......@@ -139,7 +143,7 @@
[% title = "Dependency Loop Detected" %]
The following [% terms.bug %](s) would appear on both the "depends on"
and "blocks" parts of the dependency tree if these changes
are committed: [% both %]. This would create a circular
are committed: [% both FILTER none %]. This would create a circular
dependency, which is not allowed.
[% ELSIF error == "dependency_loop_single" %]
......@@ -176,7 +180,8 @@
[% ELSIF error == "file_too_large" %]
[% title = "File Too Large" %]
The file you are trying to attach is [% filesize %] kilobytes (KB) in size.
The file you are trying to attach is [% filesize FILTER html %]
kilobytes (KB) in size.
Non-patch attachments cannot be more than [% Param('maxattachmentsize') %]
KB.
If your attachment is an image, try converting it to a compressable
......@@ -187,8 +192,10 @@
[% title = "Flag Requestee Not Authorized" %]
You asked [% requestee.identity FILTER html %]
for <code>[% flag_type.name FILTER html %]</code> on [% terms.bug %] [% bug_id -%]
[% IF attach_id %], attachment [% attach_id %][% END %], but that [% terms.bug %]&bnsp;
for <code>[% flag_type.name FILTER html %]</code> on [% terms.bug %]
[% bug_id FILTER html -%]
[% IF attach_id %], attachment [% attach_id FILTER html %][% END %],
but that [% terms.bug %]&bnsp;
has been restricted to users in certain groups, and the user you asked
isn't in all the groups to which the [% terms.bug %] has been restricted.
Please choose someone else to ask, or make the [% terms.bug %] accessible to users
......@@ -198,8 +205,10 @@
[% title = "Flag Requestee Not Authorized" %]
You asked [% requestee.identity FILTER html %]
for <code>[% flag_type.name FILTER html %]</code> on [% terms.bug %]&nbsp;[% bug_id %],
attachment [% attach_id %], but that attachment is restricted to users
for <code>[% flag_type.name FILTER html %]</code> on
[% terms.bug %]&nbsp;[% bug_id FILTER html %],
attachment [% attach_id FILTER html %], but that attachment is restricted
to users
in the [% Param("insidergroup") FILTER html %] group, and the user
you asked isn't in that group. Please choose someone else to ask,
or ask an administrator to add the user to the group.
......@@ -233,11 +242,12 @@
[% ELSIF error == "illegal_attachment_edit" %]
[% title = "Unauthorised Action" %]
You are not authorised to edit attachment [% attach_id %].
You are not authorised to edit attachment [% attach_id FILTER html %].
[% ELSIF error == "illegal_attachment_edit_bug" %]
[% title = "Unauthorised Action" %]
You are not authorised to edit attachments on [% terms.bug %] [%+ bug_id %].
You are not authorised to edit attachments on [% terms.bug %]
[%+ bug_id FILTER html %].
[% ELSIF error == "illegal_attachment_is_patch" %]
[% title = "Your Query Makes No Sense" %]
......@@ -246,7 +256,8 @@
[% ELSIF error == "illegal_change" %]
[% title = "Not allowed" %]
You tried to change the <strong>[% field %]</strong> field
You tried to change the
<strong>[% field_descs.$field FILTER html %]</strong> field
from <em>[% oldvalue FILTER html %]</em> to
<em>[% newvalue FILTER html %]</em>,
but only the owner or submitter of the [% terms.bug %], or a
......@@ -320,7 +331,7 @@
[% ELSIF error == "invalid_bug_id_non_existent" %]
[% title = BLOCK %]Invalid [% terms.Bug %] ID[% END %]
[% terms.Bug %] #[% bug_id %] does not exist.
[% terms.Bug %] #[% bug_id FILTER html %] does not exist.
[% ELSIF error == "invalid_bug_id_or_alias" %]
[% title = BLOCK %]Invalid [% terms.Bug %] ID[% END %]
......@@ -383,7 +394,8 @@
[% ELSIF error == "milestone_required" %]
[% title = "Milestone Required" %]
You must determine a target milestone for [% terms.bug %] [%+ bug_id %]
You must determine a target milestone for [% terms.bug %]
[%+ bug_id FILTER html %]
if you are going to accept it. Part of accepting
[% terms.abug %] is giving an estimate of when it will be fixed.
......@@ -459,7 +471,8 @@
[% ELSIF error == "need_positive_number" %]
[% title = "Positive Number Required" %]
The <em>[% field_descs.$field %]</em> field requires a positive number.
The <em>[% field_descs.$field FILTER html %]</em> field requires a positive
number.
[% ELSIF error == "need_product" %]
[% title = "Product Required" %]
......@@ -499,7 +512,8 @@
[% ELSIF error == "no_dupe_stats" %]
[% title = "Cannot Find Duplicate Statistics" %]
There are no duplicate statistics for today ([% today %]) or yesterday.
There are no duplicate statistics for today ([% today FILTER html %])
or yesterday.
[% ELSIF error == "no_dupe_stats_error_today" %]
[% title = "Error Reading Today's Dupes File" %]
......@@ -513,7 +527,8 @@
[% ELSIF error == "no_dupe_stats_error_yesterday" %]
[% title = "Error Reading Yesterday's Dupes File" %]
There are no duplicate statistics for today ([% today %]), and an error
There are no duplicate statistics for today ([% today FILTER html %]),
and an error
occurred opening yesterday's dupes file: [% error_msg FILTER html %].
[% ELSIF error == "no_html_in_quips" %]
......@@ -558,7 +573,8 @@
[% ELSIF error == "patch_too_large" %]
[% title = "File Too Large" %]
The file you are trying to attach is [% filesize %] kilobytes (KB) in size.
The file you are trying to attach is [% filesize FILTER html %]
kilobytes (KB) in size.
Patches cannot be more than [% Param('maxpatchsize') %] KB in size.
Try breaking your patch into several pieces.
......@@ -568,7 +584,8 @@
[% ELSIF error == "product_edit_denied" %]
[% title = "Product Edit Access Denied" %]
You are not permitted to edit [% terms.bugs %] in product [% product %].
You are not permitted to edit [% terms.bugs %] in product
[% product FILTER html %].
[% ELSIF error == "query_name_missing" %]
[% title = "No Query Name Specified" %]
......@@ -620,15 +637,17 @@
[% ELSIF error == "too_many_votes_for_bug" %]
[% title = "Illegal Vote" %]
You may only use at most [% max %] votes for a single [% terms.bug %] in the
You may only use at most [% max FILTER html %] votes for a single
[%+ terms.bug %] in the
<tt>[% prod FILTER html %]</tt> product, but you are trying to use
[% votes %].
[% votes FILTER html %].
[% ELSIF error == "too_many_votes_for_product" %]
[% title = "Illegal Vote" %]
You may only use at most [% max %] votes for [% terms.bugs %] in the
You may only use at most [% max FILTER html %] votes for [% terms.bugs %]
in the
<tt>[% prod FILTER html %]</tt> product, but you are trying to use
[% votes %].
[% votes FILTER html %].
[% ELSIF error == "token_inexistent" %]
[% title = "Token Does Not Exist" %]
......@@ -662,7 +681,8 @@
[% ELSIF error == "value_out_of_range" %]
[% title = "Value Out Of Range" %]
Value is out of range for field <em>[% field_descs.$field %]</em>.
Value is out of range for field
<em>[% field_descs.$field FILTER html %]</em>.
[% ELSIF error == "zero_length_file" %]
[% title = "File Is Empty" %]
......@@ -684,7 +704,7 @@
<tr>
<td bgcolor="#ff0000">
<font size="+2">
[% error_message %]
[% error_message FILTER none %]
</font>
</td>
</tr>
......
template/en/default/list/change-columns.html.tmpl
View file @ 02653931
......@@ -42,7 +42,9 @@
[% FOREACH column = masterlist %]
<input type="checkbox" id="[% column %]" name="column_[% column %]"
[% "checked='checked'" IF lsearch(collist, column) != -1 %]>
<label for="[% column %]">[% field_descs.${column} || column %]</label>
<label for="[% column %]">
[% (field_descs.${column} || column) FILTER html %]
</label>
<br>
[% END %]
......
template/en/default/list/list.html.tmpl
View file @ 02653931
......@@ -149,7 +149,9 @@
[% END %]
[% IF bugowners %]
<a href="mailto:[% bugowners %]">Send Mail to [% terms.Bug %] Owners</a> &nbsp;&nbsp;
<a href="mailto:[% bugowners FILTER html %]">Send
Mail to [% terms.Bug %] Owners</a>
&nbsp;&nbsp;
[% END %]
<a href="query.cgi?
......
template/en/default/reports/components.html.tmpl
View file @ 02653931
......@@ -79,13 +79,15 @@
<a name="[% comp.name FILTER html %]">[% comp.name FILTER html %]</a>
</td>
<td>
<a href="mailto:[% comp.initialowner %][% Param('emailsuffix') %]">
<a href="mailto:[% comp.initialowner FILTER html %]
[% Param('emailsuffix') %]">
[% comp.initialowner FILTER html %]</a>
</td>
[% IF Param("useqacontact") %]
<td>
<a href="mailto:[% comp.initialqacontact %][% Param('emailsuffix') %]">
[% comp.initialqacontact %]</a>
<a href="mailto:[% comp.initialqacontact FILTER html %]
[% Param('emailsuffix') %]">
[% comp.initialqacontact FILTER html %]</a>
</td>
[% END %]
</tr>
......
template/en/default/reports/duplicates-simple.html.tmpl
View file @ 02653931
......@@ -34,7 +34,7 @@
[% END%]
<head>
<title>[% title %]</title>
<title>[% title FILTER html %]</title>
</head>
<body>
......
template/en/default/reports/duplicates-table.html.tmpl
View file @ 02653931
......@@ -70,17 +70,18 @@
[% bug_ids_string = bug_ids.join(',') %]
<a href="duplicates.cgi?sortby=[% column.name %]
[% IF sortby == column.name %]
[% "&reverse=1" IF NOT reverse %]
[% "&amp;reverse=1" IF NOT reverse %]
[% ELSE %]
[%-# Some columns start off reversed %]
[% "&reverse=1" IF column.name.match('delta|count') %]
[% "&amp;reverse=1" IF column.name.match('delta|count') %]
[% END %]
[% "&maxrows=$maxrows" IF maxrows %]
[% "&changedsince=$changedsince" IF changedsince %]
[% "&openonly=1" IF openonly %]
[% "&product=$product" IF product %]
[% "&format=$format" IF format %]
[% "&bug_id=$bug_ids_string&sortvisible=1" IF sortvisible %]">
[% "&amp;maxrows=$maxrows" IF maxrows %]
[% "&amp;changedsince=$changedsince" IF changedsince %]
[% "&amp;openonly=1" IF openonly %]
[% IF product %]&amp;product=[% product FILTER html %][% END %]
[% IF format %]&amp;format=[% format FILTER html %][% END %]
[% "&amp;bug_id=$bug_ids_string&amp;sortvisible=1"
IF sortvisible %]">
[% column.description %]</a>
</b>
</center>
......@@ -135,10 +136,10 @@
<td><center>[% bug.delta %]</center></td>
[% END %]
<td>[% bug.component %]</td>
<td><center>[% bug.bug_severity %]</center></td>
<td><center>[% bug.op_sys %]</center></td>
<td><center>[% bug.target_milestone %]</center></td>
<td>[% bug.component FILTER html %]</td>
<td><center>[% bug.bug_severity FILTER html %]</center></td>
<td><center>[% bug.op_sys FILTER html %]</center></td>
<td><center>[% bug.target_milestone FILTER html %]</center></td>
<td>[% bug.short_desc FILTER html %]</td>
</tr>
[% END %]
......
template/en/default/reports/report-table.csv.tmpl
View file @ 02653931
......@@ -29,13 +29,18 @@
[% row_field_disp = field_descs.$row_field || row_field %]
[% title = BLOCK %]
[% "$tbl_field_disp: $tbl\n" IF tbl_field %]
[% row_field_disp IF row_field %]
[% IF tbl_field %]
[% tbl_field_disp FILTER csv %]: [% tbl FILTER csv %]
[% END %]
[% IF row_field %]
[% row_field_disp FILTER csv %]
[% END %]
[% " / " IF col_field AND row_field %]
[% col_field_disp %]
[% col_field_disp FILTER csv %]
[% END %]
[% title FILTER csv %],
[% title %],
[% IF col_field -%]
[% FOREACH col = col_names -%]
[% col FILTER csv -%],
......
template/en/default/reports/report-table.html.tmpl
View file @ 02653931
......@@ -50,7 +50,7 @@
<td>
</td>
<td align="center">
<h2>[% tbl_disp %]</h2>
<h2>[% tbl_disp FILTER html %]</h2>
</td>
</tr>
[% END %]
......
template/en/default/reports/report.html.tmpl
View file @ 02653931
......@@ -54,11 +54,15 @@
[% title = BLOCK %]
Report:
[% tbl_field_disp IF tbl_field %]
[% IF tbl_field %]
[% tbl_field_disp FILTER html %]
[% END %]
[% " / " IF tbl_field AND (col_field OR row_field) %]
[% row_field_disp IF row_field %]
[% IF row_field %]
[% row_field_disp FILTER html %]
[% END %]
[% " / " IF col_field AND row_field %]
[% col_field_disp %]
[% col_field_disp FILTER html %]
[% END %]
[% PROCESS global/header.html.tmpl
......@@ -128,7 +132,7 @@
[% UNLESS other_format.name == format %]
<a href="[% formaturl %]&amp;format=[% other_format.name %]">
[% END %]
[% other_format.description %]
[% other_format.description FILTER html %]
[% "</a>" UNLESS other_format.name == format %] |
[% END %]
<a href="[% formaturl %]&amp;ctype=csv&amp;format=table">CSV</a>
......@@ -139,7 +143,9 @@
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
</td>
[% sizeurl = "report.cgi?$switchbase&amp;action=wrap&amp;format=$format" %]
[% sizeurl = BLOCK %]report.cgi?
[% switchbase %]&amp;action=wrap&amp;format=
[% format FILTER html %][% END %]
<td align="center">
<a href="[% sizeurl %]&amp;width=[% width %]&amp;height=
[% height + 100 %]">Taller</a><br>
......
template/en/default/search/form.html.tmpl
View file @ 02653931
......@@ -352,7 +352,7 @@ function selectProduct(f) {
value="[% default.short_desc.0 FILTER html %]">
</td>
<td>
<input type="submit" value="[% button_name %]">
<input type="submit" value="[% button_name FILTER html %]">
</td>
</tr>
......
template/en/default/search/knob.html.tmpl
View file @ 02653931
......@@ -148,7 +148,7 @@
[% END %]
</select>
<input type="submit" value="[% button_name %]">
<input type="submit" value="[% button_name FILTER html %]">
[% IF userdefaultquery %]
<p>
......
template/en/default/search/search-report-graph.html.tmpl
View file @ 02653931
......@@ -107,7 +107,7 @@
[% PROCESS search/form.html.tmpl %]
<br>
<input type="submit" value="[% button_name %]">
<input type="submit" value="[% button_name FILTER html %]">
<input type="hidden" name="action" value="wrap">
<hr>
......
template/en/default/search/search-report-table.html.tmpl
View file @ 02653931
......@@ -82,7 +82,7 @@
[% PROCESS search/form.html.tmpl %]
<br>
<input type="submit" value="[% button_name %]">
<input type="submit" value="[% button_name FILTER html %]">
<input type="hidden" name="format" value="table">
<input type="hidden" name="action" value="wrap">
<hr>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment