Escape <script> tags in wysiwyg feilds so that they don't execute.

This commit is contained in:
ghendricks%novell.com 2006-12-08 18:39:14 +00:00
Родитель 13fd7fbadd
Коммит d5829a736b
4 изменённых файлов: 44 добавлений и 6 удалений

Просмотреть файл

@ -187,30 +187,30 @@
[%# action, effect %]
<h3>Set Up</h3>
<textarea cols="122" rows="15" style="border: 1px solid #000000;" height="300"
<textarea cols="122" rows="15" style="border: 1px solid #000000;" height="300" dontBeEvil="1"
id="tcsetup" name="tcsetup" dojoType="Editor2" focusOnLoad="false">
[% case.text.setup FILTER none %]</textarea>
[% case.text.setup FILTER xss %]</textarea>
<p align="right">
<input type="SUBMIT" name="action" id="action" class="tr_button" value="[% action FILTER html %]">
</p>
<h3>Break Down</h3>
<textarea cols="122" rows="15" style="border: 1px solid #000000;" height="300"
id="tcbreakdown" name="tcbreakdown" dojoType="Editor2" focusOnLoad="false">
[% case.text.breakdown FILTER none %]</textarea>
[% case.text.breakdown FILTER xss %]</textarea>
<p align="right">
<input type="SUBMIT" name="action" id="action" class="tr_button" value="[% action FILTER html %]">
</p>
<h3>Action</h3>
<textarea cols="122" rows="15" style="border: 1px solid #000000;" height="300"
id="tcaction" name="tcaction" dojoType="Editor2" focusOnLoad="false">
[% case.text.action FILTER none %]</textarea>
[% case.text.action FILTER xss %]</textarea>
<p align="right">
<input type="SUBMIT" name="action" id="action" class="tr_button" value="[% action FILTER html %]">
</p>
<h3>Expected Results</h3>
<textarea cols="122" rows="15" style="border: 1px solid #000000;" height="300"
id="tceffect" name="tceffect" dojoType="Editor2" focusOnLoad="false">
[% case.text.effect FILTER none %]</textarea>
[% case.text.effect FILTER xss %]</textarea>
<p align="right">
<input type="SUBMIT" name="action" id="action" class="tr_button" value="[% action FILTER html %]">
</p>

Просмотреть файл

@ -75,7 +75,7 @@
<h3>Plan Document</h3>
<textarea cols="122" rows="15" id="plandoc" name="plandoc" style="border: 1px solid #000000;"
dojoType="Editor2" focusOnLoad="false" height="500px">
[% plan.text %]</textarea>
[% plan.text FILTER xss %]</textarea>
<p>
<input type="submit" name="action" value="[% action FILTER html %]">
</p>

Просмотреть файл

@ -576,6 +576,25 @@ Index: /bmo-2.22/Bugzilla/DB/Schema.pm
};
#--------------------------------------------------------------------------
Index: /bmo-2.22/Bugzilla/Template.pm
===================================================================
--- /bmo-2.22/Bugzilla/Template.pm 22 Jan 2006 21:37:37 -0000 1.41
+++ /bmo-2.22-testopia/Bugzilla/Template.pm 8 Dec 2006 18:20:56 -0000
@@ -498,6 +498,14 @@
}
return $var;
},
+
+ # Prevent XSS attacks in WYSIWYG fields.
+ xss => sub{
+ my ($var) = @_;
+ $var =~ s/(&lt;|<)script/_script/ig;
+ $var =~ s/(&lt;|<)\/script(>|&gt;)/script_/gi;
+ return $var;
+ },
# iCalendar contentline filter
ics => [ sub {
Index: /bmo-2.22/Bugzilla/DB/Schema/Mysql.pm
===================================================================
--- /bmo-2.22/Bugzilla/DB/Schema/Mysql.pm 2005-12-18 11:53:00.000000000 -0700

Просмотреть файл

@ -576,6 +576,25 @@ Index: /bmo-2.22/Bugzilla/DB/Schema.pm
};
#--------------------------------------------------------------------------
Index: /bmo-2.22/Bugzilla/Template.pm
===================================================================
--- /bmo-2.22/Bugzilla/Template.pm 22 Jan 2006 21:37:37 -0000 1.41
+++ /bmo-2.22-testopia/Bugzilla/Template.pm 8 Dec 2006 18:20:56 -0000
@@ -498,6 +498,14 @@
}
return $var;
},
+
+ # Prevent XSS attacks in WYSIWYG fields.
+ xss => sub{
+ my ($var) = @_;
+ $var =~ s/(&lt;|<)script/_script/ig;
+ $var =~ s/(&lt;|<)\/script(>|&gt;)/script_/gi;
+ return $var;
+ },
# iCalendar contentline filter
ics => [ sub {
Index: /bmo-2.22/Bugzilla/DB/Schema/Mysql.pm
===================================================================
--- /bmo-2.22/Bugzilla/DB/Schema/Mysql.pm 2005-12-18 11:53:00.000000000 -0700