Bug 136180 - use uri/url_quote filters correctly. Patch by ddk; 2xr=gerv.

e0abf5a6 · gerv%gerv.net · c61b13b2 · e0abf5a6 · e0abf5a6 · e0abf5a6
Commit e0abf5a6 authored Apr 25, 2002 by gerv%gerv.net
13 changed files
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -67,7 +67,7 @@ sub IssueEmailChangeToken {
    $vars->{'oldemailaddress'} = $old_email . &::Param('emailsuffix');
    $vars->{'newemailaddress'} = $new_email . &::Param('emailsuffix');

-    $vars->{'token'} = &::url_quote($token);
+    $vars->{'token'} = $token;
    $vars->{'emailaddress'} = $old_email . &::Param('emailsuffix');

    my $message;
@@ -78,7 +78,7 @@ sub IssueEmailChangeToken {
    print SENDMAIL $message;
    close SENDMAIL;

-    $vars->{'token'} = &::url_quote($newtoken);
+    $vars->{'token'} = $newtoken;
    $vars->{'emailaddress'} = $new_email . &::Param('emailsuffix');

    $message = "";
@@ -211,7 +211,7 @@ sub Cancel {
    $vars->{'emailaddress'} = $username;
    $vars->{'maintainer'} = $maintainer;
    $vars->{'remoteaddress'} = $::ENV{'REMOTE_ADDR'};
-    $vars->{'token'} = &::url_quote($token);
+    $vars->{'token'} = $token;
    $vars->{'tokentype'} = $tokentype;
    $vars->{'issuedate'} = $issuedate;
    $vars->{'eventdata'} = $eventdata;

--- a/Token.pm
+++ b/Token.pm
@@ -67,7 +67,7 @@ sub IssueEmailChangeToken {
    $vars->{'oldemailaddress'} = $old_email . &::Param('emailsuffix');
    $vars->{'newemailaddress'} = $new_email . &::Param('emailsuffix');

-    $vars->{'token'} = &::url_quote($token);
+    $vars->{'token'} = $token;
    $vars->{'emailaddress'} = $old_email . &::Param('emailsuffix');

    my $message;
@@ -78,7 +78,7 @@ sub IssueEmailChangeToken {
    print SENDMAIL $message;
    close SENDMAIL;

-    $vars->{'token'} = &::url_quote($newtoken);
+    $vars->{'token'} = $newtoken;
    $vars->{'emailaddress'} = $new_email . &::Param('emailsuffix');

    $message = "";
@@ -211,7 +211,7 @@ sub Cancel {
    $vars->{'emailaddress'} = $username;
    $vars->{'maintainer'} = $maintainer;
    $vars->{'remoteaddress'} = $::ENV{'REMOTE_ADDR'};
-    $vars->{'token'} = &::url_quote($token);
+    $vars->{'token'} = $token;
    $vars->{'tokentype'} = $tokentype;
    $vars->{'issuedate'} = $issuedate;
    $vars->{'eventdata'} = $eventdata;

--- a/globals.pl
+++ b/globals.pl
@@ -1616,6 +1616,13 @@ $::template ||= Template->new(
        } , 
        
        html => \&html_quote , 
+
+        # This subroutine in CGI.pl escapes characters in a variable
+        # or value string for use in a query string.  It escapes all
+        # characters NOT in the regex set: [a-zA-Z0-9_\-.].  The 'uri'
+        # filter should be used for a full URL that may have
+        # characters that need encoding.
+        url_quote => \&url_quote ,
      } ,
  }
 ) || DisplayError("Template creation failed: " . Template->error())

--- a/t/004template.t
+++ b/t/004template.t
@@ -63,8 +63,9 @@ my $template = Template->new(
    # actually have to function in this test, just be defined.
    FILTERS =>
    {
-        strike => sub { return $_ } ,
-        js     => sub { return $_ }
+        js        => sub { return $_ } ,
+        strike    => sub { return $_ } ,
+        url_quote => sub { return $_ } ,
    },
 }
 );

--- a/template/en/default/account/email/change-new.txt.tmpl
+++ b/template/en/default/account/email/change-new.txt.tmpl
@@ -27,10 +27,10 @@ for the [% oldemailaddress %] account to your address.

 To confirm the change, visit the following link:

-[% Param('urlbase') %]token.cgi?a=cfmem&t=[% token FILTER html %]
+[% Param('urlbase') %]token.cgi?a=cfmem&t=[% token FILTER url_quote %]

 If you are not the person who made this request, or you wish to cancel
 this request, visit the following link:

-[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER html %]
+[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER url_quote %]

--- a/template/en/default/account/email/change-old.txt.tmpl
+++ b/template/en/default/account/email/change-old.txt.tmpl
@@ -31,5 +31,5 @@ for your account to [% newemailaddress %].
 If you are not the person who made this request, or you wish to cancel
 this request, visit the following link:

-[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER html %]
+[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER url_quote %]

--- a/template/en/default/bug/create/create.html.tmpl
+++ b/template/en/default/bug/create/create.html.tmpl
@@ -71,7 +71,7 @@
    
    <td align="right" valign="top">
      <strong>
-        <a href="describecomponents.cgi?product=[% product FILTER uri %]">
+        <a href="describecomponents.cgi?product=[% product FILTER url_quote %]">
          Component:</a>
      </strong>
    </td>

--- a/template/en/default/bug/edit.html.tmpl
+++ b/template/en/default/bug/edit.html.tmpl
@@ -90,7 +90,7 @@
    <tr>
      <td align="right">
        <b>
-          <a href="describecomponents.cgi?product=[% bug.product FILTER uri %]">
+          <a href="describecomponents.cgi?product=[% bug.product FILTER url_quote %]">
            Component</a>:
        </b>
      </td>

--- a/template/en/default/global/choose-product.html.tmpl
+++ b/template/en/default/global/choose-product.html.tmpl
@@ -27,7 +27,7 @@
 [% FOREACH p = proddesc.keys.sort %]
  <tr>
    <th align="right" valign="top">
-      <a href="[% target %]?product=[% p FILTER uri %]">
+      <a href="[% target %]?product=[% p FILTER url_quote %]">
        [% p FILTER html %]</a>:
    </th>


--- a/template/en/default/list/list.html.tmpl
+++ b/template/en/default/list/list.html.tmpl
@@ -25,6 +25,7 @@

 [% DEFAULT title = "Bug List" %]
 [% style_url = "css/buglist.css" %]
+[% qorder = order FILTER url_quote IF order %]


 [%############################################################################%]
@@ -137,7 +138,7 @@

    [% IF bugs.size > 1 && caneditbugs && !dotweak %]
      <a href="buglist.cgi?[% urlquerypart %]
-        [%- "&order=$order" FILTER uri html IF order %]&tweak=1">Change Several 
+        [%- "&order=$qorder" FILTER html IF order %]&amp;tweak=1">Change Several 
        Bugs at Once</a>
      &nbsp;&nbsp;
    [% END %]

--- a/template/en/default/list/table.html.tmpl
+++ b/template/en/default/list/table.html.tmpl
@@ -49,6 +49,8 @@
  }
 %]

+[% qorder = order FILTER url_quote IF order %]
+
 [%############################################################################%]
 [%# Table Header                                                             #%]
 [%############################################################################%]
@@ -98,8 +100,8 @@
 [% BLOCK columnheader %]
  <th colspan="[% splitheader ? 2 : 1 %]">
    <a href="buglist.cgi?[% urlquerypart %]&amp;order=
-      [% column.name FILTER uri html %]
-      [% ",$order" FILTER uri html IF order %]">
+      [% column.name FILTER url_quote FILTER html %]
+      [% ",$qorder" FILTER html IF order %]">
        [%- abbrev.$id.title || column.title -%]</a>
  </th>
 [% END %]

--- a/template/en/default/reports/keywords.html.tmpl
+++ b/template/en/default/reports/keywords.html.tmpl
@@ -53,7 +53,7 @@
    <td>[% keyword.description %]</td>
    <td align="right">
      [% IF keyword.bugcount > 0 %]
-        <A HREF="buglist.cgi?keywords=[% keyword.name FILTER uri %]">
+        <a href="buglist.cgi?keywords=[% keyword.name FILTER url_quote %]">
          [% keyword.bugcount %]</a>
      [% ELSE %]
        none

--- a/template/en/default/sidebar.xul.tmpl
+++ b/template/en/default/sidebar.xul.tmpl
@@ -98,7 +98,7 @@ function normal_keypress_handler( aEvent ) {
  [%- END %]

  [%- FOREACH name = namedqueries %]
-      <text class="text-link" onclick="load_relative_url('buglist.cgi?cmdtype=runnamed&amp;namedcmd=[% name FILTER uri %]')" value="[% name FILTER html %]"/>
+      <text class="text-link" onclick="load_relative_url('buglist.cgi?cmdtype=runnamed&amp;namedcmd=[% name FILTER url_quote %]')" value="[% name FILTER html %]"/>
  [% END %]

 [% ELSE %]