Bug 136180 - use uri/url_quote filters correctly. Patch by ddk; 2xr=gerv.

webtools/bugzilla/Bugzilla/Token.pm

@@ -67,7 +67,7 @@ sub IssueEmailChangeToken {
     $vars->{'oldemailaddress'} = $old_email . &::Param('emailsuffix');
     $vars->{'newemailaddress'} = $new_email . &::Param('emailsuffix');
 
-    $vars->{'token'} = &::url_quote($token);
+    $vars->{'token'} = $token;
     $vars->{'emailaddress'} = $old_email . &::Param('emailsuffix');
 
     my $message;
@@ -78,7 +78,7 @@ sub IssueEmailChangeToken {
     print SENDMAIL $message;
     close SENDMAIL;
 
-    $vars->{'token'} = &::url_quote($newtoken);
+    $vars->{'token'} = $newtoken;
     $vars->{'emailaddress'} = $new_email . &::Param('emailsuffix');
 
     $message = "";
@@ -211,7 +211,7 @@ sub Cancel {
     $vars->{'emailaddress'} = $username;
     $vars->{'maintainer'} = $maintainer;
     $vars->{'remoteaddress'} = $::ENV{'REMOTE_ADDR'};
-    $vars->{'token'} = &::url_quote($token);
+    $vars->{'token'} = $token;
     $vars->{'tokentype'} = $tokentype;
     $vars->{'issuedate'} = $issuedate;
     $vars->{'eventdata'} = $eventdata;

webtools/bugzilla/Token.pm

@@ -67,7 +67,7 @@ sub IssueEmailChangeToken {
     $vars->{'oldemailaddress'} = $old_email . &::Param('emailsuffix');
     $vars->{'newemailaddress'} = $new_email . &::Param('emailsuffix');
 
-    $vars->{'token'} = &::url_quote($token);
+    $vars->{'token'} = $token;
     $vars->{'emailaddress'} = $old_email . &::Param('emailsuffix');
 
     my $message;
@@ -78,7 +78,7 @@ sub IssueEmailChangeToken {
     print SENDMAIL $message;
     close SENDMAIL;
 
-    $vars->{'token'} = &::url_quote($newtoken);
+    $vars->{'token'} = $newtoken;
     $vars->{'emailaddress'} = $new_email . &::Param('emailsuffix');
 
     $message = "";
@@ -211,7 +211,7 @@ sub Cancel {
     $vars->{'emailaddress'} = $username;
     $vars->{'maintainer'} = $maintainer;
     $vars->{'remoteaddress'} = $::ENV{'REMOTE_ADDR'};
-    $vars->{'token'} = &::url_quote($token);
+    $vars->{'token'} = $token;
     $vars->{'tokentype'} = $tokentype;
     $vars->{'issuedate'} = $issuedate;
     $vars->{'eventdata'} = $eventdata;

webtools/bugzilla/globals.pl

@@ -1616,6 +1616,13 @@ $::template ||= Template->new(
         } , 
         
         html => \&html_quote , 
+
+        # This subroutine in CGI.pl escapes characters in a variable
+        # or value string for use in a query string.  It escapes all
+        # characters NOT in the regex set: [a-zA-Z0-9_\-.].  The 'uri'
+        # filter should be used for a full URL that may have
+        # characters that need encoding.
+        url_quote => \&url_quote ,
       } ,
   }
 ) || DisplayError("Template creation failed: " . Template->error())

webtools/bugzilla/t/004template.t

@@ -63,8 +63,9 @@ my $template = Template->new(
     # actually have to function in this test, just be defined.
     FILTERS =>
     {
-        strike => sub { return $_ } ,
-        js     => sub { return $_ }
+        js        => sub { return $_ } ,
+        strike    => sub { return $_ } ,
+        url_quote => sub { return $_ } ,
     },
 }
 );

webtools/bugzilla/template/en/default/account/email/change-new.txt.tmpl

@@ -27,10 +27,10 @@ for the [% oldemailaddress %] account to your address.
 
 To confirm the change, visit the following link:
 
-[% Param('urlbase') %]token.cgi?a=cfmem&t=[% token FILTER html %]
+[% Param('urlbase') %]token.cgi?a=cfmem&t=[% token FILTER url_quote %]
 
 If you are not the person who made this request, or you wish to cancel
 this request, visit the following link:
 
-[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER html %]
+[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER url_quote %]
 

webtools/bugzilla/template/en/default/account/email/change-old.txt.tmpl

@@ -31,5 +31,5 @@ for your account to [% newemailaddress %].
 If you are not the person who made this request, or you wish to cancel
 this request, visit the following link:
 
-[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER html %]
+[% Param('urlbase') %]token.cgi?a=cxlem&t=[% token FILTER url_quote %]
 

webtools/bugzilla/template/en/default/bug/create/create.html.tmpl

@@ -71,7 +71,7 @@
     
     <td align="right" valign="top">
       <strong>
-        <a href="describecomponents.cgi?product=[% product FILTER uri %]">
+        <a href="describecomponents.cgi?product=[% product FILTER url_quote %]">
           Component:</a>
       </strong>
     </td>

webtools/bugzilla/template/en/default/bug/edit.html.tmpl

@@ -90,7 +90,7 @@
     <tr>
       <td align="right">
         <b>
-          <a href="describecomponents.cgi?product=[% bug.product FILTER uri %]">
+          <a href="describecomponents.cgi?product=[% bug.product FILTER url_quote %]">
             Component</a>:
         </b>
       </td>

webtools/bugzilla/template/en/default/global/choose-product.html.tmpl

@@ -27,7 +27,7 @@
 [% FOREACH p = proddesc.keys.sort %]
   <tr>
     <th align="right" valign="top">
-      <a href="[% target %]?product=[% p FILTER uri %]">
+      <a href="[% target %]?product=[% p FILTER url_quote %]">
         [% p FILTER html %]</a>:
     </th>
 

webtools/bugzilla/template/en/default/list/list.html.tmpl

@@ -25,6 +25,7 @@
 
 [% DEFAULT title = "Bug List" %]
 [% style_url = "css/buglist.css" %]
+[% qorder = order FILTER url_quote IF order %]
 
 
 [%############################################################################%]
@@ -137,7 +138,7 @@
 
     [% IF bugs.size > 1 && caneditbugs && !dotweak %]
       <a href="buglist.cgi?[% urlquerypart %]
-        [%- "&order=$order" FILTER uri html IF order %]&tweak=1">Change Several 
+        [%- "&order=$qorder" FILTER html IF order %]&amp;tweak=1">Change Several 
         Bugs at Once</a>
       &nbsp;&nbsp;
     [% END %]

webtools/bugzilla/template/en/default/list/table.html.tmpl

@@ -49,6 +49,8 @@
   }
 %]
 
+[% qorder = order FILTER url_quote IF order %]
+
 [%############################################################################%]
 [%# Table Header                                                             #%]
 [%############################################################################%]
@@ -98,8 +100,8 @@
 [% BLOCK columnheader %]
   <th colspan="[% splitheader ? 2 : 1 %]">
     <a href="buglist.cgi?[% urlquerypart %]&amp;order=
-      [% column.name FILTER uri html %]
-      [% ",$order" FILTER uri html IF order %]">
+      [% column.name FILTER url_quote FILTER html %]
+      [% ",$qorder" FILTER html IF order %]">
         [%- abbrev.$id.title || column.title -%]</a>
   </th>
 [% END %]

webtools/bugzilla/template/en/default/reports/keywords.html.tmpl

@@ -53,7 +53,7 @@
     <td>[% keyword.description %]</td>
     <td align="right">
       [% IF keyword.bugcount > 0 %]
-        <A HREF="buglist.cgi?keywords=[% keyword.name FILTER uri %]">
+        <a href="buglist.cgi?keywords=[% keyword.name FILTER url_quote %]">
           [% keyword.bugcount %]</a>
       [% ELSE %]
         none

webtools/bugzilla/template/en/default/sidebar.xul.tmpl

@@ -98,7 +98,7 @@ function normal_keypress_handler( aEvent ) {
   [%- END %]
 
   [%- FOREACH name = namedqueries %]
-      <text class="text-link" onclick="load_relative_url('buglist.cgi?cmdtype=runnamed&amp;namedcmd=[% name FILTER uri %]')" value="[% name FILTER html %]"/>
+      <text class="text-link" onclick="load_relative_url('buglist.cgi?cmdtype=runnamed&amp;namedcmd=[% name FILTER url_quote %]')" value="[% name FILTER html %]"/>
   [% END %]
 
 [% ELSE %]