зеркало из https://github.com/mozilla/pjs.git
Escape <script> tags in wysiwyg feilds so that they don't execute.
This commit is contained in:
Родитель
13fd7fbadd
Коммит
d5829a736b
|
@ -187,30 +187,30 @@
|
|||
|
||||
[%# action, effect %]
|
||||
<h3>Set Up</h3>
|
||||
<textarea cols="122" rows="15" style="border: 1px solid #000000;" height="300"
|
||||
<textarea cols="122" rows="15" style="border: 1px solid #000000;" height="300" dontBeEvil="1"
|
||||
id="tcsetup" name="tcsetup" dojoType="Editor2" focusOnLoad="false">
|
||||
[% case.text.setup FILTER none %]</textarea>
|
||||
[% case.text.setup FILTER xss %]</textarea>
|
||||
<p align="right">
|
||||
<input type="SUBMIT" name="action" id="action" class="tr_button" value="[% action FILTER html %]">
|
||||
</p>
|
||||
<h3>Break Down</h3>
|
||||
<textarea cols="122" rows="15" style="border: 1px solid #000000;" height="300"
|
||||
id="tcbreakdown" name="tcbreakdown" dojoType="Editor2" focusOnLoad="false">
|
||||
[% case.text.breakdown FILTER none %]</textarea>
|
||||
[% case.text.breakdown FILTER xss %]</textarea>
|
||||
<p align="right">
|
||||
<input type="SUBMIT" name="action" id="action" class="tr_button" value="[% action FILTER html %]">
|
||||
</p>
|
||||
<h3>Action</h3>
|
||||
<textarea cols="122" rows="15" style="border: 1px solid #000000;" height="300"
|
||||
id="tcaction" name="tcaction" dojoType="Editor2" focusOnLoad="false">
|
||||
[% case.text.action FILTER none %]</textarea>
|
||||
[% case.text.action FILTER xss %]</textarea>
|
||||
<p align="right">
|
||||
<input type="SUBMIT" name="action" id="action" class="tr_button" value="[% action FILTER html %]">
|
||||
</p>
|
||||
<h3>Expected Results</h3>
|
||||
<textarea cols="122" rows="15" style="border: 1px solid #000000;" height="300"
|
||||
id="tceffect" name="tceffect" dojoType="Editor2" focusOnLoad="false">
|
||||
[% case.text.effect FILTER none %]</textarea>
|
||||
[% case.text.effect FILTER xss %]</textarea>
|
||||
<p align="right">
|
||||
<input type="SUBMIT" name="action" id="action" class="tr_button" value="[% action FILTER html %]">
|
||||
</p>
|
||||
|
|
|
@ -75,7 +75,7 @@
|
|||
<h3>Plan Document</h3>
|
||||
<textarea cols="122" rows="15" id="plandoc" name="plandoc" style="border: 1px solid #000000;"
|
||||
dojoType="Editor2" focusOnLoad="false" height="500px">
|
||||
[% plan.text %]</textarea>
|
||||
[% plan.text FILTER xss %]</textarea>
|
||||
<p>
|
||||
<input type="submit" name="action" value="[% action FILTER html %]">
|
||||
</p>
|
||||
|
|
|
@ -576,6 +576,25 @@ Index: /bmo-2.22/Bugzilla/DB/Schema.pm
|
|||
|
||||
};
|
||||
#--------------------------------------------------------------------------
|
||||
Index: /bmo-2.22/Bugzilla/Template.pm
|
||||
===================================================================
|
||||
--- /bmo-2.22/Bugzilla/Template.pm 22 Jan 2006 21:37:37 -0000 1.41
|
||||
+++ /bmo-2.22-testopia/Bugzilla/Template.pm 8 Dec 2006 18:20:56 -0000
|
||||
@@ -498,6 +498,14 @@
|
||||
}
|
||||
return $var;
|
||||
},
|
||||
+
|
||||
+ # Prevent XSS attacks in WYSIWYG fields.
|
||||
+ xss => sub{
|
||||
+ my ($var) = @_;
|
||||
+ $var =~ s/(<|<)script/_script/ig;
|
||||
+ $var =~ s/(<|<)\/script(>|>)/script_/gi;
|
||||
+ return $var;
|
||||
+ },
|
||||
|
||||
# iCalendar contentline filter
|
||||
ics => [ sub {
|
||||
Index: /bmo-2.22/Bugzilla/DB/Schema/Mysql.pm
|
||||
===================================================================
|
||||
--- /bmo-2.22/Bugzilla/DB/Schema/Mysql.pm 2005-12-18 11:53:00.000000000 -0700
|
||||
|
|
|
@ -576,6 +576,25 @@ Index: /bmo-2.22/Bugzilla/DB/Schema.pm
|
|||
|
||||
};
|
||||
#--------------------------------------------------------------------------
|
||||
Index: /bmo-2.22/Bugzilla/Template.pm
|
||||
===================================================================
|
||||
--- /bmo-2.22/Bugzilla/Template.pm 22 Jan 2006 21:37:37 -0000 1.41
|
||||
+++ /bmo-2.22-testopia/Bugzilla/Template.pm 8 Dec 2006 18:20:56 -0000
|
||||
@@ -498,6 +498,14 @@
|
||||
}
|
||||
return $var;
|
||||
},
|
||||
+
|
||||
+ # Prevent XSS attacks in WYSIWYG fields.
|
||||
+ xss => sub{
|
||||
+ my ($var) = @_;
|
||||
+ $var =~ s/(<|<)script/_script/ig;
|
||||
+ $var =~ s/(<|<)\/script(>|>)/script_/gi;
|
||||
+ return $var;
|
||||
+ },
|
||||
|
||||
# iCalendar contentline filter
|
||||
ics => [ sub {
|
||||
Index: /bmo-2.22/Bugzilla/DB/Schema/Mysql.pm
|
||||
===================================================================
|
||||
--- /bmo-2.22/Bugzilla/DB/Schema/Mysql.pm 2005-12-18 11:53:00.000000000 -0700
|
||||
|
|
Загрузка…
Ссылка в новой задаче