From c5b78d9960edf67bba48e2e599149b0dcf699254 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Mon, 10 Feb 2014 18:38:36 +0100 Subject: Bug 926085: Forbird single quotes to delimit URLs (no ) r=dkl a=glob --- t/004template.t | 16 +++++++++++++++- template/en/default/admin/params/attachment.html.tmpl | 4 ++-- template/en/default/admin/params/auth.html.tmpl | 2 +- 3 files changed, 18 insertions(+), 4 deletions(-) diff --git a/t/004template.t b/t/004template.t index 298bb52c0..604559dc0 100644 --- a/t/004template.t +++ b/t/004template.t @@ -20,7 +20,7 @@ use CGI qw(-no_debug); use File::Spec; use Template; -use Test::More tests => ( scalar(@referenced_files) + $num_actual_files ); +use Test::More tests => ( scalar(@referenced_files) + 2 * $num_actual_files ); # Capture the TESTOUT from Test::More or Test::Builder for printing errors. # This will handle verbosity for us automatically. @@ -104,6 +104,20 @@ foreach my $include_path (@include_paths) { ok(0, "$path has bad syntax --ERROR"); print $fh $data . "\n"; } + + # Make sure no forbidden constructs are present. + local $/; + open(FILE, '<', $path) or die "Can't open $file: $!\n"; + $data = ; + close (FILE); + + # Forbid single quotes to delimit URLs, see bug 926085. + if ($data =~ /href=\\?'/) { + ok(0, "$path contains blacklisted constructs: href='...'"); + } + else { + ok(1, "$path contains no blacklisted constructs"); + } } } diff --git a/template/en/default/admin/params/attachment.html.tmpl b/template/en/default/admin/params/attachment.html.tmpl index 6e0301908..c0c32a4d5 100644 --- a/template/en/default/admin/params/attachment.html.tmpl +++ b/template/en/default/admin/params/attachment.html.tmpl @@ -50,13 +50,13 @@ maxattachmentsize => "The maximum size (in kilobytes) of attachments to be stored " _ "in the database. If a file larger than this size is attached " _ "to ${terms.abug}, $terms.Bugzilla will look at the " _ - "maxlocalattachment parameter " _ + "maxlocalattachment parameter " _ "to determine if the file can be stored locally on the web server. " _ "If the file size exceeds both limits, then the attachment is rejected. " _ "Settings both parameters to 0 will prevent attaching files to ${terms.bugs}.", maxlocalattachment => "The maximum size (in megabytes) of attachments to be stored " _ "locally on the web server. If set to a value lower than the " _ - "maxattachmentsize parameter, " _ + "maxattachmentsize parameter, " _ "attachments will never be kept on the local filesystem." } %] diff --git a/template/en/default/admin/params/auth.html.tmpl b/template/en/default/admin/params/auth.html.tmpl index 38090915e..0a72938ca 100644 --- a/template/en/default/admin/params/auth.html.tmpl +++ b/template/en/default/admin/params/auth.html.tmpl @@ -97,7 +97,7 @@ "This defines the regular expression to use for legal email addresses. " _ "The default tries to match fully qualified email addresses. " _ "Use .* to accept any email address following the " _ - "RFC 2822 " _ + "RFC 2822 " _ "specification. Another popular value to put here is ^[^@]+$, " _ "which means 'local usernames, no @ allowed.'", -- cgit v1.2.3-65-gdbad