Commit e0abf5a6 authored by gerv%gerv.net's avatar gerv%gerv.net

Bug 136180 - use uri/url_quote filters correctly. Patch by ddk; 2xr=gerv.

parent c61b13b2
......@@ -67,7 +67,7 @@ sub IssueEmailChangeToken {
$vars->{'oldemailaddress'} = $old_email . &::Param('emailsuffix');
$vars->{'newemailaddress'} = $new_email . &::Param('emailsuffix');
$vars->{'token'} = &::url_quote($token);
$vars->{'token'} = $token;
$vars->{'emailaddress'} = $old_email . &::Param('emailsuffix');
my $message;
......@@ -78,7 +78,7 @@ sub IssueEmailChangeToken {
print SENDMAIL $message;
close SENDMAIL;
$vars->{'token'} = &::url_quote($newtoken);
$vars->{'token'} = $newtoken;
$vars->{'emailaddress'} = $new_email . &::Param('emailsuffix');
$message = "";
......@@ -211,7 +211,7 @@ sub Cancel {
$vars->{'emailaddress'} = $username;
$vars->{'maintainer'} = $maintainer;
$vars->{'remoteaddress'} = $::ENV{'REMOTE_ADDR'};
$vars->{'token'} = &::url_quote($token);
$vars->{'token'} = $token;
$vars->{'tokentype'} = $tokentype;
$vars->{'issuedate'} = $issuedate;
$vars->{'eventdata'} = $eventdata;
......
......@@ -67,7 +67,7 @@ sub IssueEmailChangeToken {
$vars->{'oldemailaddress'} = $old_email . &::Param('emailsuffix');
$vars->{'newemailaddress'} = $new_email . &::Param('emailsuffix');
$vars->{'token'} = &::url_quote($token);
$vars->{'token'} = $token;
$vars->{'emailaddress'} = $old_email . &::Param('emailsuffix');
my $message;
......@@ -78,7 +78,7 @@ sub IssueEmailChangeToken {
print SENDMAIL $message;
close SENDMAIL;
$vars->{'token'} = &::url_quote($newtoken);
$vars->{'token'} = $newtoken;
$vars->{'emailaddress'} = $new_email . &::Param('emailsuffix');
$message = "";
......@@ -211,7 +211,7 @@ sub Cancel {
$vars->{'emailaddress'} = $username;
$vars->{'maintainer'} = $maintainer;
$vars->{'remoteaddress'} = $::ENV{'REMOTE_ADDR'};
$vars->{'token'} = &::url_quote($token);
$vars->{'token'} = $token;
$vars->{'tokentype'} = $tokentype;
$vars->{'issuedate'} = $issuedate;
$vars->{'eventdata'} = $eventdata;
......
......@@ -1616,6 +1616,13 @@ $::template ||= Template->new(
} ,
html => \&html_quote ,
# This subroutine in CGI.pl escapes characters in a variable
# or value string for use in a query string. It escapes all
# characters NOT in the regex set: [a-zA-Z0-9_\-.]. The 'uri'
# filter should be used for a full URL that may have
# characters that need encoding.
url_quote => \&url_quote ,
} ,
}
) || DisplayError("Template creation failed: " . Template->error())
......
......@@ -63,8 +63,9 @@ my $template = Template->new(
# actually have to function in this test, just be defined.
FILTERS =>
{
js => sub { return $_ } ,
strike => sub { return $_ } ,
js => sub { return $_ }
url_quote => sub { return $_ } ,
},
}
);
......
......@@ -27,10 +27,10 @@ for the [% oldemailaddress %] account to your address.
To confirm the change, visit the following link:
[% Param('urlbase') %]token.cgi?a=cfmem&t=[% token FILTER html %]
[% Param('urlbase') %]token.cgi?a=cfmem&t=[% token FILTER url_quote %]
If you are not the person who made this request, or you wish to cancel
this request, visit the following link:
[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER html %]
[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER url_quote %]
......@@ -31,5 +31,5 @@ for your account to [% newemailaddress %].
If you are not the person who made this request, or you wish to cancel
this request, visit the following link:
[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER html %]
[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER url_quote %]
......@@ -71,7 +71,7 @@
<td align="right" valign="top">
<strong>
<a href="describecomponents.cgi?product=[% product FILTER uri %]">
<a href="describecomponents.cgi?product=[% product FILTER url_quote %]">
Component:</a>
</strong>
</td>
......
......@@ -90,7 +90,7 @@
<tr>
<td align="right">
<b>
<a href="describecomponents.cgi?product=[% bug.product FILTER uri %]">
<a href="describecomponents.cgi?product=[% bug.product FILTER url_quote %]">
Component</a>:
</b>
</td>
......
......@@ -27,7 +27,7 @@
[% FOREACH p = proddesc.keys.sort %]
<tr>
<th align="right" valign="top">
<a href="[% target %]?product=[% p FILTER uri %]">
<a href="[% target %]?product=[% p FILTER url_quote %]">
[% p FILTER html %]</a>:
</th>
......
......@@ -25,6 +25,7 @@
[% DEFAULT title = "Bug List" %]
[% style_url = "css/buglist.css" %]
[% qorder = order FILTER url_quote IF order %]
[%############################################################################%]
......@@ -137,7 +138,7 @@
[% IF bugs.size > 1 && caneditbugs && !dotweak %]
<a href="buglist.cgi?[% urlquerypart %]
[%- "&order=$order" FILTER uri html IF order %]&tweak=1">Change Several
[%- "&order=$qorder" FILTER html IF order %]&amp;tweak=1">Change Several
Bugs at Once</a>
&nbsp;&nbsp;
[% END %]
......
......@@ -49,6 +49,8 @@
}
%]
[% qorder = order FILTER url_quote IF order %]
[%############################################################################%]
[%# Table Header #%]
[%############################################################################%]
......@@ -98,8 +100,8 @@
[% BLOCK columnheader %]
<th colspan="[% splitheader ? 2 : 1 %]">
<a href="buglist.cgi?[% urlquerypart %]&amp;order=
[% column.name FILTER uri html %]
[% ",$order" FILTER uri html IF order %]">
[% column.name FILTER url_quote FILTER html %]
[% ",$qorder" FILTER html IF order %]">
[%- abbrev.$id.title || column.title -%]</a>
</th>
[% END %]
......
......@@ -53,7 +53,7 @@
<td>[% keyword.description %]</td>
<td align="right">
[% IF keyword.bugcount > 0 %]
<A HREF="buglist.cgi?keywords=[% keyword.name FILTER uri %]">
<a href="buglist.cgi?keywords=[% keyword.name FILTER url_quote %]">
[% keyword.bugcount %]</a>
[% ELSE %]
none
......
......@@ -98,7 +98,7 @@ function normal_keypress_handler( aEvent ) {
[%- END %]
[%- FOREACH name = namedqueries %]
<text class="text-link" onclick="load_relative_url('buglist.cgi?cmdtype=runnamed&amp;namedcmd=[% name FILTER uri %]')" value="[% name FILTER html %]"/>
<text class="text-link" onclick="load_relative_url('buglist.cgi?cmdtype=runnamed&amp;namedcmd=[% name FILTER url_quote %]')" value="[% name FILTER html %]"/>
[% END %]
[% ELSE %]
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment