Bug 926085: Forbird single quotes to delimit URLs (no <a href='...'>)

r=dkl a=glob

Bug 926085: Forbird single quotes to delimit URLs (no <a href='...'>)
c5b78d99 · Frédéric Buclin · 521df804 · c5b78d99 · c5b78d99 · c5b78d99
Commit c5b78d99 authored Feb 10, 2014 by Frédéric Buclin
Showing with 18 additions and 4 deletions

004template.t t/004template.t +15 -1

attachment.html.tmpl template/en/default/admin/params/attachment.html.tmpl +2 -2

auth.html.tmpl template/en/default/admin/params/auth.html.tmpl +1 -1

No files found.
--- a/t/004template.t
+++ b/t/004template.t
@@ -20,7 +20,7 @@ use CGI qw(-no_debug);

 use File::Spec;
 use Template;
-use Test::More tests => ( scalar(@referenced_files) + $num_actual_files );
+use Test::More tests => ( scalar(@referenced_files) + 2 * $num_actual_files );

 # Capture the TESTOUT from Test::More or Test::Builder for printing errors.
 # This will handle verbosity for us automatically.
@@ -104,6 +104,20 @@ foreach my $include_path (@include_paths) {
            ok(0, "$path has bad syntax --ERROR");
            print $fh $data . "\n";
        }
+
+        # Make sure no forbidden constructs are present.
+        local $/;
+        open(FILE, '<', $path) or die "Can't open $file: $!\n";
+        $data = <FILE>;
+        close (FILE);
+
+        # Forbid single quotes to delimit URLs, see bug 926085.
+        if ($data =~ /href=\\?'/) {
+            ok(0, "$path contains blacklisted constructs: href='...'");
+        }
+        else {
+            ok(1, "$path contains no blacklisted constructs");
+        }
    }
 }


--- a/template/en/default/admin/params/attachment.html.tmpl
+++ b/template/en/default/admin/params/attachment.html.tmpl
@@ -50,13 +50,13 @@
  maxattachmentsize => "The maximum size (in kilobytes) of attachments to be stored " _
                       "in the database. If a file larger than this size is attached " _
                       "to ${terms.abug}, $terms.Bugzilla will look at the " _
-                       "<a href='#maxlocalattachment'><tt>maxlocalattachment</tt> parameter</a> " _
+                       "<a href=\"#maxlocalattachment\"><tt>maxlocalattachment</tt> parameter</a> " _
                       "to determine if the file can be stored locally on the web server. " _
                       "If the file size exceeds both limits, then the attachment is rejected. " _
                       "Settings both parameters to 0 will prevent attaching files to ${terms.bugs}.",

  maxlocalattachment => "The maximum size (in megabytes) of attachments to be stored " _
                        "locally on the web server. If set to a value lower than the " _
-                        "<a href='#maxattachmentsize'><tt>maxattachmentsize</tt> parameter</a>, " _
+                        "<a href=\"#maxattachmentsize\"><tt>maxattachmentsize</tt> parameter</a>, " _
                        "attachments will never be kept on the local filesystem." }
 %]
--- a/template/en/default/admin/params/auth.html.tmpl
+++ b/template/en/default/admin/params/auth.html.tmpl
@@ -97,7 +97,7 @@
    "This defines the regular expression to use for legal email addresses. " _
    "The default tries to match fully qualified email addresses. " _
    "Use <tt>.*</tt> to accept any email address following the " _
-    "<a href='http://tools.ietf.org/html/rfc2822#section-3.4.1'>RFC 2822</a> " _
+    "<a href=\"http://tools.ietf.org/html/rfc2822#section-3.4.1\">RFC 2822</a> " _
    "specification. Another popular value to put here is <tt>^[^@]+$</tt>, " _
    "which means 'local usernames, no @ allowed.'",