Closed Bug 133406 Opened 22 years ago Closed 22 years ago

errors if quotes in short_desc

Categories

(Bugzilla :: Creating/Changing Bugs, defect)

Product:
Bugzilla
Component:
Creating/Changing Bugs
Version:
2.15
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Bugzilla 2.16

People

(Reporter: jayvdb, Assigned: myk)

References

Details

(Whiteboard: [blocker will fix])

Attachments

(2 files)

patch
662 bytes, patch
Details | Diff | Splinter Review
escape quotes in sub html_quote in CGI.pl
404 bytes, patch
Details | Diff | Splinter Review 
show_bug.cgi does not filter quotes in the bug short_desc, resulting in invalid
html.
Attached patch patchSplinter Review 

    
    

    
  
I believe FILTER html or FILTER url will do this.

    
    

    
  
I tried those, with html doing nothing, and with uri, spaces become %20 and
quotes become %22

    
    

    
  
From http://www.template-toolkit.org/docs/plain/Manual/Filters.html#html

"html

Converts the characters '<', '>' and '&' to '&lt;', '&gt;' and '&amp',
respectively, protecting them from being interpreted as representing HTML tags
or entities. "

Hence no effect in this case.

    
    

    
  
Newer versions of the Template Toolkit's HTML filter do convert quotes to
&quot;, and the next release of Bugzilla will probably require version 2.07 when
it is shortly released.


    
    

    
  
Strangely enough, v2.06 does as well if I am reading Filter.pm:280 correctly.

            s/"/&quot;/g;

... yet it is not working for me.

    
    

    
  
We override the html filter to use html_quote from CGI.pl, which doesn't escape
quotes.

myk, should we just remove that override? It only affected a development version
of TT.

of course, html_quote should handle ", too...

    
    

    
  
See also bug 133425. Sorry, this one was first, so strictly speaking that one
should depend on this one...
Blocks: 133425

    
    

    
  
We can't remove the override until TT releases a stable version with the proper
behavior.  This should happen in the near future (2.07 is on a release track). 
In the meantime, we should hack html_quote to do quotation marks as well.

    
    

    
  


  
Looking for reviews & checkin then...

    
    

    
  
myk: Why not? The current stable release (2.06) wasn't affected, I thought.
No longer blocks: 133425
Depends on: 133425

    
    

    
  
I swapped the dependencies back because this is included on the patch on the
other bug, so when that gets checked in, this will automatically get fixed.
Whiteboard: [blocker will fix[
Target Milestone: --- → Bugzilla 2.16
Whiteboard: [blocker will fix[ → [blocker will fix]

    
    

    
  
This got fixed incidentally in other show_bug cleanup work. So now either our
html_quote does the right thing, or TTs will when we switch back to that.

Gerv
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
QA Contact: matty_is_a_geek → default-qa

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: