Commit 7fca098a authored by Frédéric Buclin's avatar Frédéric Buclin

Bug 924932: (CVE-2013-1743) [SECURITY] Field values are not escaped correctly in tabular reports

r=dkl a=glob
parent 953d690a
......@@ -30,32 +30,42 @@
[% END %]
<script type="text/javascript">
function bz_encode (str, decode) {
// First decode HTML entities, if requested.
if (decode)
str = str.replace(/&lt;/g, "<").replace(/&gt;/g, ">").replace(/&quot;/g, '"')
.replace(/&nbsp;/g, " ").replace(/&amp;/g, "&").replace(/\s+$/,"");
// encodeURIComponent() doesn't escape single quotes.
return encodeURIComponent(str).replace(/'/g, escape);
};
YAHOO.util.Event.addListener(window, "load", function() {
this.Linkify = function(elLiner, oRecord, oColumn, oData) {
if (oData == 0)
elLiner.innerHTML = ".";
else if (oRecord.getData("row_title") == "Total")
elLiner.innerHTML = "<a href='[% urlbase %]&amp;[% col_field FILTER js %]="
+ oColumn.field + "[% '&amp;' _ row_vals IF row_vals %]'>"
+ oData + "</a>";
elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&amp;[% col_field FILTER uri FILTER js %]='
+ bz_encode(oColumn.field)
+ '[% "&amp;" _ row_vals IF row_vals %]">' + oData + '</a>';
else
elLiner.innerHTML = "<a href='[% urlbase %]&amp;[% row_field FILTER js %]="
+ oRecord.getData("row_title").replace(/\s+$/,"")
+ "&amp;[% col_field FILTER js %]=" + oColumn.field
+ "'>" + oData + "</a>";
elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&amp;[% row_field FILTER uri FILTER js %]='
+ bz_encode(oRecord.getData("row_title"), 1)
+ '&amp;[% col_field FILTER uri FILTER js %]='
+ bz_encode(oColumn.field) + '">' + oData + '</a>';
};
this.LinkifyTotal = function(elLiner, oRecord, oColumn, oData) {
if (oData == 0)
elLiner.innerHTML = ".";
else if (oRecord.getData("row_title") == "Total")
elLiner.innerHTML = "<a href='[% urlbase %][% '&amp;' _ row_vals IF row_vals %]
[%~ '&amp;' _ col_vals IF col_vals %]'>"
+ oData + "</a>";
elLiner.innerHTML = '<a href="[% urlbase FILTER js %][% "&amp;" _ row_vals IF row_vals %]
[%~ "&amp;" _ col_vals IF col_vals %]">'
+ oData + '</a>';
else
elLiner.innerHTML = "<a href='[% urlbase %]&amp;[% row_field FILTER js %]="
+ oRecord.getData("row_title").replace(/\s+$/,"")
+ "[% '&amp;' _ col_vals IF col_vals %]'>" + oData + "</a>";
elLiner.innerHTML = '<a href="[% urlbase FILTER js %]&amp;[% row_field FILTER uri FILTER js %]='
+ bz_encode(oRecord.getData("row_title"), 1)
+ '[% "&amp;" _ col_vals IF col_vals %]">' + oData + '</a>';
YAHOO.util.Dom.addClass(elLiner.parentNode, "ttotal");
};
......@@ -147,7 +157,7 @@ YAHOO.util.Event.addListener(window, "load", function() {
[% col_idx = 0 %]
[% row_idx = 0 %]
[% grand_total = 0 %]
<div id="tabular_report_container_[% tbl FILTER js %]">
<div id="tabular_report_container_[% tbl FILTER html %]">
<table id="tabular_report" border="1">
[% IF col_field %]
<thead>
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment