Open
Bug 364096
Opened 18 years ago
Updated 11 years ago
The 'mybugstemplate' parameter is not filtered in templates (and its default value should use & instead of &)
Categories
(Bugzilla :: Administration, task)
Tracking
()
ASSIGNED
People
(Reporter: reed, Assigned: reed)
References
Details
Attachments
(1 file, 2 obsolete files)
3.63 KB,
patch
|
LpSolit
:
review-
|
Details | Diff | Splinter Review |
Currently, mybugstemplate uses & and defaultquery uses &. The two parameters either both need to use & or both need to use &. Using & will generate invalid HTML unless the href is filtered with url_quote first. & is valid HTML.
Assignee | ||
Comment 1•18 years ago
|
||
Use & for both.
Assignee | ||
Comment 3•18 years ago
|
||
Please choose one patch or the other, depending on what you decide to do. I will fix the issue of the url_quote filter not being used in another bug, so I haven't included it in the & one.
Comment 4•18 years ago
|
||
Comment on attachment 248886 [details] [diff] [review] Use & for both - v1 Too dangerous as an admin could change it back to &, by accident.
Attachment #248886 -
Flags: review?(LpSolit) → review-
Comment 5•18 years ago
|
||
Comment on attachment 248887 [details] [diff] [review] Use & for both - v1 Some places are not correctly filtered with this change. They must be fixed in the same patch.
Attachment #248887 -
Flags: review?(LpSolit) → review-
Assignee | ||
Comment 6•18 years ago
|
||
Use & for mybugstemplate and then add FILTER html to places that were missing it.
Attachment #248886 -
Attachment is obsolete: true
Attachment #248887 -
Attachment is obsolete: true
Attachment #248926 -
Flags: review?(LpSolit)
Comment 7•18 years ago
|
||
> Created an attachment (id=248926) [edit]
you should add a note on the admin page (admin/params/query...),
something like:
<br>Note " _
"that this value will be escaped so use unescaped " _
"strings e.g.: & instead of &amp;.
Comment 8•18 years ago
|
||
The problem with this bug/patch is that the query stored in data/params should be converted too, independently of the fix choosen (& or & for both queries). I tested attachment 248926 [details] [diff] [review], and Apache seems to be able to parse it correctly anyway, despite the URL is now: https://localhost/bugzilla/buglist.cgi?bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&emailassigned_to1=1&emailreporter1=1&emailtype1=exact&email1=LpSolit%40netscape.net&field0-0-0=bug_status&type0-0-0=notequals&value0-0-0=UNCONFIRMED&field0-0-1=reporter&type0-0-1=equals&value0-0-1=LpSolit%40netscape.net When I click the "Edit Search" link, I get the following weird URL: https://localhost/bugzilla/query.cgi?amp=&=&=&=&=&=&=&=&=&=&=&=&=&bug_status=UNCONFIRMED&bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&email1=LpSolit%40netscape.net&emailassigned_to1=1&emailreporter1=1&emailtype1=exact&field-1-0-0=bug_status&field-1-1-0=assigned_to&field-1-1-1=reporter&field0-0-0=bug_status&field0-0-1=reporter&query_format=advanced&remaction=&type-1-0-0=anyexact&type-1-1-0=anyexact&type-1-1-1=anyexact&type0-0-0=notequals&type0-0-1=equals&value-1-0-0=UNCONFIRMED%2CNEW%2CASSIGNED%2CREOPENED&value-1-1-0=LpSolit%40netscape.net&value-1-1-1=LpSolit%40netscape.net&value0-0-0=UNCONFIRMED&value0-0-1=LpSolit%40netscape.net Don't ask me how this URL has been generated, I have no idea. But the query form is correctly filed. So I may accept this patch as is, but I want some feedback/comments first.
Comment 9•18 years ago
|
||
Comment on attachment 248926 [details] [diff] [review] Use & and add filter - v2 Per discussion with mkanat on IRC, this patch still has to convert the 'mybugstemplate' parameter stored in data/params. You do it from Bugzilla::Config::update_params().
Attachment #248926 -
Flags: review?(LpSolit) → review-
Comment 11•16 years ago
|
||
The Bugzilla 3.0 branch is now locked to security bugs and dataloss fixes only. This bug doesn't fit into one of these two categories and is retargetted to 3.2 as part of a mass-change. To catch bugmails related to this mass-change, use lts081207 in your email client filter.
Target Milestone: Bugzilla 3.0 → Bugzilla 3.2
Comment 12•15 years ago
|
||
Bugzilla 3.2 is restricted to security bugs only. Moreover, this bug is either assigned to nobody or got no traction for several months now. Rather than retargetting it at each new release, I'm clearing the target milestone and the bug will be retargetted to some sensible release when someone starts fixing this bug for real (Bugzilla 3.8 more likely).
Target Milestone: Bugzilla 3.2 → ---
Updated•12 years ago
|
Summary: Bugzilla/Config/Query.pm's defaults for mybugstemplate and defaultquery should either use & or &, not both! → The 'mybugstemplate' parameter is not filtered in templates (and its default value should use & instead of &)
You need to log in
before you can comment on or make changes to this bug.
Description
•