Bug 351994: Messages shouldn't contain HTML characters unless we're in USAGE_MODE_BROWSER

Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=ghendricks, a=myk

Bug 351994: Messages shouldn't contain HTML characters unless we're in USAGE_MODE_BROWSER
6c0f16ff · mkanat%bugzilla.org · c4840b68 · 6c0f16ff · 6c0f16ff · 6c0f16ff
Commit 6c0f16ff authored Sep 22, 2006 by mkanat%bugzilla.org
5 changed files
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -760,6 +760,22 @@ sub create {
                     1
                     ],

+            # Note that using this filter is even more dangerous than
+            # using "none," and you should only use it when you're SURE
+            # the output won't be displayed directly to a web browser.
+            txt => sub {
+                my ($var) = @_;
+                # Trivial HTML tag remover
+                $var =~ s/<[^>]*>//g;
+                # And this basically reverses the html filter.
+                $var =~ s/\&#64;/@/g;
+                $var =~ s/\&lt;/</g;
+                $var =~ s/\&gt;/>/g;
+                $var =~ s/\&quot;/\"/g;
+                $var =~ s/\&amp;/\&/g;
+                return $var;
+            },
+
            # Wrap a displayed comment to the appropriate length
            wrap_comment => \&Bugzilla::Util::wrap_comment,


--- a/t/008filter.t
+++ b/t/008filter.t
@@ -225,7 +225,7 @@ sub directive_ok {
    return 1 if $directive =~ /FILTER\ (html|csv|js|base64|url_quote|css_class_quote|
                                        ics|quoteUrls|time|uri|xml|lower|
                                        obsolete|inactive|closed|unitconvert|
-                                        none)\b/x;
+                                        txt|none)\b/x;

    return 0;
 }

--- a/template/en/default/global/code-error.html.tmpl
+++ b/template/en/default/global/code-error.html.tmpl
@@ -434,7 +434,11 @@
 [%# We only want HTML error messages for ERROR_MODE_WEBPAGE %]
 [% USE Bugzilla %]
 [% IF Bugzilla.error_mode != constants.ERROR_MODE_WEBPAGE %]
+  [% IF Bugzilla.usage_mode == constants.USAGE_MODE_BROWSER %]
    [% error_message FILTER none %]
+  [% ELSE %]
+    [% error_message FILTER txt %]
+  [% END %]
  [% RETURN %]
 [% END %]


--- a/template/en/default/global/message.txt.tmpl
+++ b/template/en/default/global/message.txt.tmpl
@@ -23,4 +23,4 @@
 [%# Yes, this may show some HTML. But it's the best we
  # can do at the moment. %]
 [% PROCESS global/messages.html.tmpl %]
-[% message %]
+[% message FILTER txt %]
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1483,7 +1483,11 @@
 [%# We only want HTML error messages for ERROR_MODE_WEBPAGE %]
 [% USE Bugzilla %]
 [% IF Bugzilla.error_mode != constants.ERROR_MODE_WEBPAGE %]
+  [% IF Bugzilla.usage_mode == constants.USAGE_MODE_BROWSER %]
    [% error_message FILTER none %]
+  [% ELSE %]
+    [% error_message FILTER txt %]
+  [% END %]
  [% RETURN %]
 [% END %]