diff options
| author |   Frédéric Buclin <LpSolit@gmail.com> | 2014-02-10 18:38:36 +0100 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2014-02-10 18:38:36 +0100 |
| commit | c5b78d9960edf67bba48e2e599149b0dcf699254 (patch) | |
| tree | b12bc1ca2edbb01bc5350db47370079721607579 | |
| parent | Bug 961789: large dependency trees with lots of resolved bugs are very slow t... (diff) | |
| download | bugzilla-c5b78d9960edf67bba48e2e599149b0dcf699254.tar.gz bugzilla-c5b78d9960edf67bba48e2e599149b0dcf699254.tar.bz2 bugzilla-c5b78d9960edf67bba48e2e599149b0dcf699254.zip | |
Bug 926085: Forbird single quotes to delimit URLs (no <a href='...'>)
r=dkl a=glob
| -rw-r--r-- | t/004template.t | 16 | ||||
| -rw-r--r-- | template/en/default/admin/params/attachment.html.tmpl | 4 | ||||
| -rw-r--r-- | template/en/default/admin/params/auth.html.tmpl | 2 |
3 files changed, 18 insertions, 4 deletions
diff --git a/t/004template.t b/t/004template.t index 298bb52c0..604559dc0 100644 --- a/t/004template.t +++ b/t/004template.t @@ -20,7 +20,7 @@ use CGI qw(-no_debug); use File::Spec; use Template; -use Test::More tests => ( scalar(@referenced_files) + $num_actual_files ); +use Test::More tests => ( scalar(@referenced_files) + 2 * $num_actual_files ); # Capture the TESTOUT from Test::More or Test::Builder for printing errors. # This will handle verbosity for us automatically. @@ -104,6 +104,20 @@ foreach my $include_path (@include_paths) { ok(0, "$path has bad syntax --ERROR"); print $fh $data . "\n"; } + + # Make sure no forbidden constructs are present. + local $/; + open(FILE, '<', $path) or die "Can't open $file: $!\n"; + $data = <FILE>; + close (FILE); + + # Forbid single quotes to delimit URLs, see bug 926085. + if ($data =~ /href=\\?'/) { + ok(0, "$path contains blacklisted constructs: href='...'"); + } + else { + ok(1, "$path contains no blacklisted constructs"); + } } } diff --git a/template/en/default/admin/params/attachment.html.tmpl b/template/en/default/admin/params/attachment.html.tmpl index 6e0301908..c0c32a4d5 100644 --- a/template/en/default/admin/params/attachment.html.tmpl +++ b/template/en/default/admin/params/attachment.html.tmpl @@ -50,13 +50,13 @@ maxattachmentsize => "The maximum size (in kilobytes) of attachments to be stored " _ "in the database. If a file larger than this size is attached " _ "to ${terms.abug}, $terms.Bugzilla will look at the " _ - "<a href='#maxlocalattachment'><tt>maxlocalattachment</tt> parameter</a> " _ + "<a href=\"#maxlocalattachment\"><tt>maxlocalattachment</tt> parameter</a> " _ "to determine if the file can be stored locally on the web server. " _ "If the file size exceeds both limits, then the attachment is rejected. " _ "Settings both parameters to 0 will prevent attaching files to ${terms.bugs}.", maxlocalattachment => "The maximum size (in megabytes) of attachments to be stored " _ "locally on the web server. If set to a value lower than the " _ - "<a href='#maxattachmentsize'><tt>maxattachmentsize</tt> parameter</a>, " _ + "<a href=\"#maxattachmentsize\"><tt>maxattachmentsize</tt> parameter</a>, " _ "attachments will never be kept on the local filesystem." } %] diff --git a/template/en/default/admin/params/auth.html.tmpl b/template/en/default/admin/params/auth.html.tmpl index 38090915e..0a72938ca 100644 --- a/template/en/default/admin/params/auth.html.tmpl +++ b/template/en/default/admin/params/auth.html.tmpl @@ -97,7 +97,7 @@ "This defines the regular expression to use for legal email addresses. " _ "The default tries to match fully qualified email addresses. " _ "Use <tt>.*</tt> to accept any email address following the " _ - "<a href='http://tools.ietf.org/html/rfc2822#section-3.4.1'>RFC 2822</a> " _ + "<a href=\"http://tools.ietf.org/html/rfc2822#section-3.4.1\">RFC 2822</a> " _ "specification. Another popular value to put here is <tt>^[^@]+$</tt>, " _ "which means 'local usernames, no @ allowed.'", |