Bug 476305: Clean up and merge HTML filtering code - Patch by Vitaly Fedrushkov…

Bug 476305: Clean up and merge HTML filtering code - Patch by Vitaly Fedrushkov <vitaly.fedrushkov@gmail.com> r/a=LpSolit

Bug 476305: Clean up and merge HTML filtering code - Patch by Vitaly Fedrushkov…
b3f8306d · lpsolit%gmail.com · 8a3a795c · b3f8306d · b3f8306d · b3f8306d
Commit b3f8306d authored Jul 16, 2009 by lpsolit%gmail.com
Hide whitespace changes
Inline Side-by-side

Showing with 36 additions and 41 deletions

Template.pm Bugzilla/Template.pm +1 -33

Util.pm Bugzilla/Util.pm +34 -7

007util.t t/007util.t +1 -1

No files found.
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -641,39 +641,7 @@ sub create {
                      1
                    ],
-            # Bug 120030: Override html filter to obscure the '@' in user
+            html => \&Bugzilla::Util::html_quote,
-            #             visible strings.
-            # Bug 319331: Handle BiDi disruptions.
-            html => sub {
-                my ($var) = Template::Filters::html_filter(@_);
-                # Obscure '@'.
-                $var =~ s/\@/\&#64;/g;
-                if (Bugzilla->params->{'utf8'}) {
-                    # Remove the following characters because they're
-                    # influencing BiDi:
-                    # --------------------------------------------------------
-                    # |Code  |Name                      |UTF-8 representation|
-                    # |------|--------------------------|--------------------|
-                    # |U+202a|Left-To-Right Embedding   |0xe2 0x80 0xaa      |
-                    # |U+202b|Right-To-Left Embedding   |0xe2 0x80 0xab      |
-                    # |U+202c|Pop Directional Formatting|0xe2 0x80 0xac      |
-                    # |U+202d|Left-To-Right Override    |0xe2 0x80 0xad      |
-                    # |U+202e|Right-To-Left Override    |0xe2 0x80 0xae      |
-                    # --------------------------------------------------------
-                    #
-                    # The following are characters influencing BiDi, too, but
-                    # they can be spared from filtering because they don't
-                    # influence more than one character right or left:
-                    # --------------------------------------------------------
-                    # |Code  |Name                      |UTF-8 representation|
-                    # |------|--------------------------|--------------------|
-                    # |U+200e|Left-To-Right Mark        |0xe2 0x80 0x8e      |
-                    # |U+200f|Right-To-Left Mark        |0xe2 0x80 0x8f      |
-                    # --------------------------------------------------------
-                    $var =~ s/[\x{202a}-\x{202e}]//g;
-                }
-                return $var;
-            },
            html_light => \&Bugzilla::Util::html_light_quote,

--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -55,6 +55,7 @@ use DateTime::TimeZone;
 use Digest;
 use Email::Address;
 use Scalar::Util qw(tainted);
+use Template::Filters;
 use Text::Wrap;
 sub trick_taint {
@@ -81,12 +82,37 @@ sub detaint_signed {
    return (defined($_[0]));
 }
+# Bug 120030: Override html filter to obscure the '@' in user
+#             visible strings.
+# Bug 319331: Handle BiDi disruptions.
 sub html_quote {
-    my ($var) = (@_);
+    my ($var) = Template::Filters::html_filter(@_);
-    $var =~ s/\&/\&amp;/g;
+    # Obscure '@'.
-    $var =~ s/</\&lt;/g;
+    $var =~ s/\@/\&#64;/g;
-    $var =~ s/>/\&gt;/g;
+    if (Bugzilla->params->{'utf8'}) {
-    $var =~ s/\"/\&quot;/g;
+        # Remove the following characters because they're
+        # influencing BiDi:
+        # --------------------------------------------------------
+        # |Code  |Name                      |UTF-8 representation|
+        # |------|--------------------------|--------------------|
+        # |U+202a|Left-To-Right Embedding   |0xe2 0x80 0xaa      |
+        # |U+202b|Right-To-Left Embedding   |0xe2 0x80 0xab      |
+        # |U+202c|Pop Directional Formatting|0xe2 0x80 0xac      |
+        # |U+202d|Left-To-Right Override    |0xe2 0x80 0xad      |
+        # |U+202e|Right-To-Left Override    |0xe2 0x80 0xae      |
+        # --------------------------------------------------------
+        #
+        # The following are characters influencing BiDi, too, but
+        # they can be spared from filtering because they don't
+        # influence more than one character right or left:
+        # --------------------------------------------------------
+        # |Code  |Name                      |UTF-8 representation|
+        # |------|--------------------------|--------------------|
+        # |U+200e|Left-To-Right Mark        |0xe2 0x80 0x8e      |
+        # |U+200f|Right-To-Left Mark        |0xe2 0x80 0x8f      |
+        # --------------------------------------------------------
+        $var =~ s/[\x{202a}-\x{202e}]//g;
+    }
    return $var;
 }
@@ -745,8 +771,9 @@ be done in the template where possible.
 =item C<html_quote($val)>
-Returns a value quoted for use in HTML, with &, E<lt>, E<gt>, and E<34> being
+Returns a value quoted for use in HTML, with &, E<lt>, E<gt>, E<34> and @ being
-replaced with their appropriate HTML entities.
+replaced with their appropriate HTML entities.  Also, Unicode BiDi controls are
+deleted.
 =item C<html_light_quote($val)>

--- a/t/007util.t
+++ b/t/007util.t
@@ -45,7 +45,7 @@ my $tz = Bugzilla->local_timezone->short_name_for_datetime(DateTime->new(year =>
 # XXX: test taint functions
 #html_quote():
-is(html_quote("<lala&>"),"&lt;lala&amp;&gt;",'html_quote');
+is(html_quote("<lala&@>"),"&lt;lala&amp;&#64;&gt;",'html_quote');
 #url_quote():
 is(url_quote("<lala&>gaa\"'[]{\\"),"%3Clala%26%3Egaa%22%27%5B%5D%7B%5C",'url_quote');