Bug 924932: (CVE-2013-1743) [SECURITY] Field values are not escaped correctly in tabular reports

r=dkl a=glob

Bug 924932: (CVE-2013-1743) [SECURITY] Field values are not escaped correctly in tabular reports
1176b66a · Frédéric Buclin · 94e43ad5 · 1176b66a
Commit 1176b66a authored Oct 16, 2013 by Frédéric Buclin
Hide whitespace changes
Inline Side-by-side

Showing with 24 additions and 14 deletions

report-table.html.tmpl template/en/default/reports/report-table.html.tmpl +24 -14

No files found.
--- a/template/en/default/reports/report-table.html.tmpl
+++ b/template/en/default/reports/report-table.html.tmpl
@@ -30,32 +30,42 @@
 [% END %]
 <script type="text/javascript">
+function bz_encode (str, decode) {
+  // First decode HTML entities, if requested.
+  if (decode)
+    str = str.replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/&quot;/g, '"')
+             .replace(/&nbsp;/g, " ").replace(/&amp;/g, "&").replace(/\s+$/,"");
+  // encodeURIComponent() doesn't escape single quotes.
+  return encodeURIComponent(str).replace(/'/g, escape);
+};
 YAHOO.util.Event.addListener(window, "load", function() {
  this.Linkify = function(elLiner, oRecord, oColumn, oData) {
    if (oData == 0)
      elLiner.innerHTML = ".";
    else if (oRecord.getData("row_title") == "Total")
-      elLiner.innerHTML = "<a href='[% urlbase %]&amp;[% col_field FILTER js %]="
+      elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&amp;[% col_field FILTER uri FILTER js %]='
-                          + oColumn.field + "[% '&amp;' _ row_vals IF row_vals %]'>"
+                          + bz_encode(oColumn.field)
-                          + oData + "</a>";
+                          + '[% "&amp;" _ row_vals IF row_vals %]">' + oData + '</a>';
    else
-      elLiner.innerHTML = "<a href='[% urlbase %]&amp;[% row_field FILTER js %]="
+      elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&amp;[% row_field FILTER uri FILTER js %]='
-                          + oRecord.getData("row_title").replace(/\s+$/,"")
+                          + bz_encode(oRecord.getData("row_title"), 1)
-                          + "&amp;[% col_field FILTER js %]=" + oColumn.field
+                          + '&amp;[% col_field FILTER uri FILTER js %]='
-                          + "'>" + oData + "</a>";
+                          + bz_encode(oColumn.field) + '">' + oData + '</a>';
  };
  this.LinkifyTotal = function(elLiner, oRecord, oColumn, oData) {
    if (oData == 0)
      elLiner.innerHTML = ".";
    else if (oRecord.getData("row_title") == "Total")
-      elLiner.innerHTML = "<a href='[% urlbase %][% '&amp;' _ row_vals IF row_vals %]
+      elLiner.innerHTML = '<a href="[% urlbase FILTER js %][% "&amp;" _ row_vals IF row_vals %]
-                          [%~ '&amp;' _ col_vals IF col_vals %]'>"
+                          [%~ "&amp;" _ col_vals IF col_vals %]">'
-                          + oData + "</a>";
+                          + oData + '</a>';
    else
-      elLiner.innerHTML = "<a href='[% urlbase %]&amp;[% row_field FILTER js %]="
+      elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&amp;[% row_field FILTER uri FILTER js %]='
-                          + oRecord.getData("row_title").replace(/\s+$/,"")
+                          + bz_encode(oRecord.getData("row_title"), 1)
-                          + "[% '&amp;' _ col_vals IF col_vals %]'>" + oData + "</a>";
+                          + '[% "&amp;" _ col_vals IF col_vals %]">' + oData + '</a>';
    YAHOO.util.Dom.addClass(elLiner.parentNode, "ttotal");
  };
@@ -147,7 +157,7 @@ YAHOO.util.Event.addListener(window, "load", function() {
 [% col_idx = 0 %]
 [% row_idx = 0 %]
 [% grand_total = 0 %]
-<div id="tabular_report_container_[% tbl FILTER js %]">
+<div id="tabular_report_container_[% tbl FILTER html %]">
 <table id="tabular_report" border="1">
  [% IF col_field %]
    <thead>