diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2011-01-24 19:29:39 +0100 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2011-01-24 19:29:39 +0100 |
commit | 9244270a7d1ca49e315a98c24d51bf405bfa2880 (patch) | |
tree | 46587cdf26360fd54abb79986d11c8b9234e4fe0 /template/en/default/bug/show-multiple.html.tmpl | |
parent | 38eeecf6362b6dc17718c84a35dbbaea7cc15ccd (diff) | |
download | bugs-9244270a7d1ca49e315a98c24d51bf405bfa2880.tar bugs-9244270a7d1ca49e315a98c24d51bf405bfa2880.tar.gz bugs-9244270a7d1ca49e315a98c24d51bf405bfa2880.tar.bz2 bugs-9244270a7d1ca49e315a98c24d51bf405bfa2880.tar.xz bugs-9244270a7d1ca49e315a98c24d51bf405bfa2880.zip |
Bug 619588: (CVE-2010-4567) [SECURITY] Safety checks that disallow clicking for javascript: or data: URLs in the URL field can be evaded with prefixed whitespace
and
Bug 628034: (CVE-2011-0048) [SECURITY] For not-logged-in users, the URL field doesn't safeguard against javascript: or data: URLs
r=dkl a=LpSolit
Diffstat (limited to 'template/en/default/bug/show-multiple.html.tmpl')
-rw-r--r-- | template/en/default/bug/show-multiple.html.tmpl | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/template/en/default/bug/show-multiple.html.tmpl b/template/en/default/bug/show-multiple.html.tmpl index 56f732667..33dde14a3 100644 --- a/template/en/default/bug/show-multiple.html.tmpl +++ b/template/en/default/bug/show-multiple.html.tmpl @@ -163,11 +163,11 @@ <tr> <th>[% field_descs.bug_file_loc FILTER html %]:</th> <td colspan="3"> - [% IF bug.bug_file_loc.match("^(javascript|data)") %] - [% bug.bug_file_loc FILTER html %] - [% ELSE %] + [% IF is_safe_url(bug.bug_file_loc) %] <a href="[% bug.bug_file_loc FILTER html %]"> [% bug.bug_file_loc FILTER html %]</a> + [% ELSE %] + [% bug.bug_file_loc FILTER html %] [% END %] </td> </tr> |