Bug 330555: [SECURITY] H1, H2 and H3 are not filtered in global/header.html.tmpl…

Bug 330555: [SECURITY] H1, H2 and H3 are not filtered in global/header.html.tmpl - Patch by Frédéric Buclin <LpSolit@gmail.com> r=justdave a=justdave

Bug 330555: [SECURITY] H1, H2 and H3 are not filtered in global/header.html.tmpl…
b0ddda44 · lpsolit%gmail.com · b1ef63e5 · b0ddda44 · b0ddda44 · b0ddda44
Commit b0ddda44 authored Oct 15, 2006 by lpsolit%gmail.com
10 changed files
--- a/template/en/default/admin/flag-type/edit.html.tmpl
+++ b/template/en/default/admin/flag-type/edit.html.tmpl
@@ -35,9 +35,9 @@
 [% END %]

 [% IF last_action == "copy" %]
-  [% title = "Create Flag Type Based on $type.name" %]
+  [% title = BLOCK %]Create Flag Type Based on [% type.name FILTER html %][% END %]
 [% ELSIF last_action == "edit" %]
-  [% title = "Edit Flag Type $type.name" %]
+  [% title = BLOCK %]Edit Flag Type [% type.name FILTER html %][% END %]
 [% END %]

 [% PROCESS global/header.html.tmpl

--- a/template/en/default/admin/groups/edit.html.tmpl
+++ b/template/en/default/admin/groups/edit.html.tmpl
@@ -41,9 +41,10 @@
  #                   be aware of the group being edited and its members.
  #%]

+[% title = BLOCK %]Change Group: [% name FILTER html %][% END %]

 [% PROCESS global/header.html.tmpl
-  title = "Change Group: $name"
+  title = title
  style = "tr.odd_row {
               background: #e9e9e9; 
           }

--- a/template/en/default/admin/groups/remove.html.tmpl
+++ b/template/en/default/admin/groups/remove.html.tmpl
@@ -33,11 +33,13 @@


 [% IF remove_all %]
-  [% title = "Removing All Explicit Group Memberships from '"
-      _ name _ "'" %]
+  [% title = BLOCK %]
+    Removing All Explicit Group Memberships from '[% name FILTER html %]'
+  [% END %]
 [% ELSE %]
-  [% title = "Removing All Explicit Group Memberships Matching "
-      _ "Group RegExp from '" _ name _ "'" %]
+  [% title = BLOCK %]
+    Removing All Explicit Group Memberships Matching Group RegExp from '[% name FILTER html %]'
+  [% END %]
 [% END %]

 [% PROCESS global/header.html.tmpl %]

--- a/template/en/default/admin/users/confirm-delete.html.tmpl
+++ b/template/en/default/admin/users/confirm-delete.html.tmpl
@@ -44,8 +44,10 @@
  #                           created
  #%]

+[% title = BLOCK %]Confirm deletion of user [% otheruser.login FILTER html %][% END %]
+
 [% PROCESS global/header.html.tmpl
-  title = "Confirm deletion of user $otheruser.login"
+  title = title
  style_urls = ['skins/standard/admin.css',
                'skins/standard/editusers.css']
 %]

--- a/template/en/default/admin/users/edit.html.tmpl
+++ b/template/en/default/admin/users/edit.html.tmpl
@@ -25,8 +25,10 @@
  #                      canbless) for viewed user.
  #%]

+[% title = BLOCK %]Edit user [% otheruser.login FILTER html %][% END %]
+
 [% PROCESS global/header.html.tmpl
-  title = "Edit user $login"
+  title = title
  message = message
  style_urls = ['skins/standard/editusers.css']
 %]

--- a/template/en/default/bug/create/create.html.tmpl
+++ b/template/en/default/bug/create/create.html.tmpl
@@ -26,8 +26,10 @@

 [% PROCESS "global/field-descs.none.tmpl" %]

+[% title = BLOCK %]Enter [% terms.Bug %]: [% product.name FILTER html %][% END %]
+
 [% PROCESS global/header.html.tmpl
-  title = "Enter $terms.Bug: $product.name"
+  title = title
  style_urls = [ 'skins/standard/create_attachment.css' ]
  javascript_urls = [ "js/attachment.js" ]
 %]

--- a/template/en/default/bug/show.html.tmpl
+++ b/template/en/default/bug/show.html.tmpl
@@ -31,7 +31,7 @@
  [% filtered_desc = bug.short_desc FILTER html %]
  [% filtered_timestamp = bug.delta_ts FILTER time %]
  [% PROCESS global/header.html.tmpl
-    title = "$terms.Bug $bug.bug_id - $bug.short_desc"
+    title = "$terms.Bug $bug.bug_id - $filtered_desc"
    h1 = "$terms.Bug&nbsp;$bug.bug_id"
    h2 = filtered_desc
    h3 = "Last modified: $filtered_timestamp"

--- a/template/en/default/filterexceptions.pl
+++ b/template/en/default/filterexceptions.pl
@@ -232,6 +232,7 @@
  'javascript', 
  'style', 
  'onload',
+  'title',
  'h1',
  'h2',
  'h3', 

--- a/template/en/default/global/header.html.tmpl
+++ b/template/en/default/global/header.html.tmpl
@@ -62,7 +62,7 @@
                      "http://www.w3.org/TR/html4/loose.dtd">
 <html>
  <head>
-    <title>[% title FILTER html %]</title>
+    <title>[% title %]</title>

 [%# Migration note: contents of the old Param 'headerhtml' would go here %]


--- a/template/en/default/reports/duplicates.html.tmpl
+++ b/template/en/default/reports/duplicates.html.tmpl
@@ -36,12 +36,15 @@
 [% PROCESS global/variables.none.tmpl %]

 [% IF query_products.size %]
-  [% title = "Most Frequently Reported $terms.Bugs for ${query_products.join(', ')}" %]
+  [% title = BLOCK %]
+    Most Frequently Reported [% terms.Bugs %] for [% query_products.join(', ') FILTER html %]
+  [% END %]
 [% ELSE %]
  [% title = "Most Frequently Reported $terms.Bugs" %]
 [% END%]

 [% PROCESS global/header.html.tmpl
+   title = title
   style = ".resolved { background-color: #d9d9d9; color: #000000; }"
 %]