Bug 842063: HTML injection is possible using the bug alias

r=dkl a=LpSolit

Bug 842063: HTML injection is possible using the bug alias
11829ac0 · Frédéric Buclin · 2541a7dc · 11829ac0
Commit 11829ac0 authored Feb 18, 2013 by Frédéric Buclin
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

show-header.html.tmpl template/en/default/bug/show-header.html.tmpl +4 -2

No files found.
--- a/template/en/default/bug/show-header.html.tmpl
+++ b/template/en/default/bug/show-header.html.tmpl
@@ -13,12 +13,14 @@
  # be overridden by the calling templates.
  #%]

+[% filtered_alias = bug.alias FILTER html %]
 [% filtered_desc = bug.short_desc FILTER html %]
-[% subheader = filtered_desc %]
 [% filtered_timestamp = bug.delta_ts FILTER time %]
+
+[% subheader = filtered_desc %]
 [% title = "$terms.Bug $bug.bug_id &ndash; " %]
 [% IF bug.alias != '' %]
-  [% title = title _ "($bug.alias) " %]
+  [% title = title _ "($filtered_alias) " %]
 [% END %]
 [% title = title _ filtered_desc %]
 [% yui = ['autocomplete', 'calendar'] %]