Bug 790296 (CVE-2012-4189): [SECURITY] Field values are not escaped correctly in tabular reports

r=dkl a=LpSolit

Bug 790296 (CVE-2012-4189): [SECURITY] Field values are not escaped correctly in tabular reports
aecf0a17 · Frédéric Buclin · 58f2aa2c · aecf0a17 · aecf0a17
Commit aecf0a17 authored Nov 13, 2012 by Frédéric Buclin
Hide whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

report.cgi report.cgi +1 -1

report-table.html.tmpl template/en/default/reports/report-table.html.tmpl +1 -1

No files found.
--- a/report.cgi
+++ b/report.cgi
@@ -387,5 +387,5 @@ sub get_field_restrictions {
    my $field = shift;
    my $cgi = Bugzilla->cgi;
-    return join('&', map {"$field=$_"} $cgi->param($field));
+    return join('&amp;', map {url_quote($field) . '=' . url_quote($_)} $cgi->param($field));
 }
--- a/template/en/default/reports/report-table.html.tmpl
+++ b/template/en/default/reports/report-table.html.tmpl
@@ -85,7 +85,7 @@ YAHOO.util.Event.addListener(window, "load", function() {
  var myColumnDefs = [
        {key:"row_title", label:"", sortable:true, sortOptions: { sortFunction:totalNumberSorter }},
        [% FOREACH col = col_names %]
-          {key:"[% col FILTER js %]", label:"[% display_value(col_field, col) FILTER js %]", sortable:true,
+          {key:"[% col FILTER js %]", label:"[% display_value(col_field, col) FILTER html FILTER js %]", sortable:true,
           formatter:this.Linkify, sortOptions: { defaultDir: YAHOO.widget.DataTable.CLASS_DESC, sortFunction:totalNumberSorter }},
        [% END %]
        {key:"total", label:"Total", sortable:true, formatter:this.LinkifyTotal,