Bug 425665: [SECURITY] XSS in show_bug.cgi: id isn't filtered for…

show_bug.cgi

@@ -100,7 +100,7 @@ $vars->{'marks'} = \%marks;
 $vars->{'valid_keywords'} = [map($_->name, Bugzilla::Keyword->get_all)];
 $vars->{'use_keywords'} = 1 if Bugzilla::Keyword::keyword_count();
 
-my @bugids = map {$_->bug_id} @bugs;
+my @bugids = map {$_->bug_id} grep {!$_->error} @bugs;
 $vars->{'bugids'} = join(", ", @bugids);
 
 # Next bug in list (if there is one)

template/en/default/bug/show-multiple.html.tmpl

@@ -36,12 +36,12 @@
   [% ids = [] %]
   [% FOREACH bug = bugs %]
     [% PROCESS bug_display %]
-    [% ids.push(bug.bug_id) %]
+    [% ids.push(bug.bug_id) UNLESS bug.error %]
   [% END %]
   [% IF ids.size > 1 %]
     <div class="bz_query_buttons">
       <form method="post" action="buglist.cgi">
-        <input type="hidden" name="bug_id" value="[% ids.join(",") FILTER none %]">
+        <input type="hidden" name="bug_id" value="[% ids.join(",") FILTER html %]">
         <input type="submit" id="short_format" value="Short Format">
       </form>
     </div>
@@ -63,7 +63,7 @@
 [% BLOCK bug_display %]
   <h1>
     [% terms.Bug %] 
-    <a href="show_bug.cgi?id=[% bug.bug_id %]">[% bug.bug_id %]</a>
+    <a href="show_bug.cgi?id=[% bug.bug_id FILTER html %]">[% bug.bug_id FILTER html %]</a>
     [% IF Param("usebugaliases") AND bug.alias AND NOT bug.error %]
       (<a href="show_bug.cgi?id=[% bug.alias FILTER url_quote %]">
         [% bug.alias FILTER html %]</a>)

template/en/default/filterexceptions.pl

@@ -326,7 +326,6 @@
 ],
 
 'bug/show-multiple.html.tmpl' => [
-  'bug.bug_id', 
   'attachment.id', 
   'flag.status',
 ],