Closed Bug 192661 Opened 22 years ago Closed 21 years ago

Dependency graphs print bug summaries without html encoding

Categories

(Bugzilla :: Reporting/Charting, defect)

Product:
Bugzilla
Component:
Reporting/Charting
Version:
2.17.3
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.18

People

(Reporter: jouni, Assigned: justdave)

References

Details

(Whiteboard: [fixed in 2.16.3] [fixed in 2.17.4])

Attachments

(2 files)

Patch against tip
853 bytes, patch
gerv
: review+
bbaetz
: review+
Details | Diff | Splinter Review
patch against 2.16 branch
846 bytes, patch
gerv
: review+
bbaetz
: review+
Details | Diff | Splinter Review 
Locally generated dependency graphs print bug summaries without html encoding
when including summaries. I noticed this when patching bug 166346 and the patch
there doesn't include a fix for this. 

To reproduce: Configure BZ to use local dot installation, give a bug a summary
like '"><script>alert('yeah!')</script>' and create a dep graph with summaries.
You should see the alert dialog.
uh oh

FYI, this is in the 2.16 branch as well.  2.16.3 here we come
Target Milestone: --- → Bugzilla 2.18
Whiteboard: [wanted for 2.16.3]
mine
Assignee: gerv → justdave

    
  

        Attachment #114184 -
        Flags: review?(gerv)

    
  

        Attachment #114184 -
        Flags: review?(bbaetz)

    
  

        Attachment #114185 -
        Flags: review?(gerv)

    
  

        Attachment #114185 -
        Flags: review?(bbaetz)

    
    

    
  
Comment on attachment 114184 [details] [diff] [review]
Patch against tip

Ew, that code is ugly.

r=bbaetz

        Attachment #114184 -
        Flags: review?(bbaetz) → review+

    
    

    
  
Comment on attachment 114185 [details] [diff] [review]
patch against 2.16 branch

And again, eww + r=bbaetz

        Attachment #114185 -
        Flags: review?(bbaetz) → review+

    
    

    
  
Comment on attachment 114185 [details] [diff] [review]
patch against 2.16 branch

r=gerv.

Gerv

        Attachment #114185 -
        Flags: review?(gerv)

    
    

    
  
Comment on attachment 114184 [details] [diff] [review]
Patch against tip

r=gerv.

Gerv

        Attachment #114184 -
        Flags: review?(gerv)

    
    

    
  
Putting this on the approval list...  will hold it there until about a day
before we're ready to roll with the release announcement, then we'll check it
in.  (that way we don't have it showing up on bonsai where people can see it
before it's been announced)
Flags: approval?
Whiteboard: [wanted for 2.16.3] → [fixed in 2.16.3][fixed on trunk][pending checkin on both]

    
    

    
  
I applied this patch on bmo, because it's now using local dot.

    
    

    
  
Just as FYI, this was introduced with the checkin from bug 134571, which was
checked in on 2002-05-07.

    
    

    
  
This is on hold for the moment until we sort out another security hole that was
just found.  We were mere hours from releasing 2.16.3 and 2.17.4 this morning
when it was found and I got a frantic "stop the presses" email.  We'll probably
be a few days sorting it out, but 2.16.3 and 2.17.4 will go out (with this in
it) as soon as we have all the known holes plugged.

    
  
Blocks: 190911

    
  
Flags: approval? → approval+

    
    

    
  
HEAD:

Checking in showdependencygraph.cgi;
/cvsroot/mozilla/webtools/bugzilla/showdependencygraph.cgi,v  <-- 
showdependencygraph.cgi
new revision: 1.27; previous revision: 1.26
done

BUGZILLA-2_16-BRANCH:

Checking in showdependencygraph.cgi;
/cvsroot/mozilla/webtools/bugzilla/showdependencygraph.cgi,v  <-- 
showdependencygraph.cgi
new revision: 1.18.2.2; previous revision: 1.18.2.1
done

Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED

    
  
Whiteboard: [fixed in 2.16.3][fixed on trunk][pending checkin on both] → [fixed in 2.16.3][fixed on trunk]

    
  
Whiteboard: [fixed in 2.16.3][fixed on trunk] → [fixed in 2.16.3] [fixed in 2.17.4]

    
    

    
  
Security Advisory has been posted, removing security group
Group: webtools-security
QA Contact: matty_is_a_geek → default-qa

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: